On 2011-1-8 16:02 , Jeremy Lavergne wrote: >> As another problem, if we use keys for each maintainer, how do we make sure >> none of the private keys will ever be compromised (carrying around on mobile >> devices, tiresome typing of a passphrase, etc.)? I might be a little bit >> paranoid on this, but we have to consider the weakest link here. > > We already trust the port maintainers to not submit trojans in their ports.
It's practical to review portfiles; it's not practical to disassemble and review binaries. I'm already uncomfortable with third party mirrors of the ports tree, FTR. >> It's not about the distribution on an external server, but in which way the >> archive was created. > > Why can't maintainers offer their archives alongside the ones from MacPorts' > MPAB? They can. They just can't have them officially endorsed. - Josh _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev