Artem S. Tashkinov via devel wrote:
> There must be a website or a central authority which includes known to be
> good/safe/verified/vetted open source packages along with e.g.
> SHA256/384/512/whatever hashes of the source tarballs. In addition, the
> source tarballs (not their compressed versions because people may use
> different compressors and compression settings) and their hashes must be
> digitally signed or have the appropriate PGP signatures from the trusted
> parties.
>
> Some parties must be assigned trust to be able to push new packages to
> this repository. Each push must be verified by at least two independent
> parties, let's say RedHat and Ubuntu or Ubuntu and Arch, it doesn't
> matter. The representatives of these parties must be people whose
> whereabouts are known to confirm who they physically are. No nicknames
> allowed.
This is just fundamentally not how Free Software works.
Kevin Kofler
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
