On Sat, 10 Mar 2012 00:33:36 +0000 lkcl luke wrote: > in the case of the debian distribution, that's encoded into the > /etc/apt/sources.list file. if users edit that file and start adding > e.g. "deb http://debian-multimedia.org";
If your looking at distro package signing. archlinux.org has just implemented a gpg based signing system for their packages using 5 master keys set to marginal trust with any package with 3 of those getting an ok. If your talking about markets like for android then it has to be just an authors private key as all you trust. Would be cool if google reviewed some source code apps and signed a package built by them with their key, but that would be too much work. Others could sign the authors key too as a web of trust as long as people don't just take many signatures as good and actually look for trusted people (almost no average users would do that). Maybe bandwidth, integrity vs security and phone resources are a problem but I'd love to see phones with daily updates and a trusted default source code repository like desktop linux. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
