Greg Stark writes:
We've got be be a little more careful with the Replaces header. I just
installed the libc6 version of comerr, and dpkg helpfully deinstalled
e2fsprogs.
I can see a security problem with this. Lets jump ahead several months
when we have deity working. A user
Brandon Mitchell [EMAIL PROTECTED] wrote:
I can see a security problem with this.
Absolutely: pre/post inst/rm scripts run as root, this is the security
problem to dwarf all other security problems.
Our defense is a wide audience. The more people we have looking at the
system, the better
Brandon Mitchell wrote:
I can see a security problem with this. Lets jump ahead several months
when we have deity working. A user points deity to several sites, some
providing a bunch of debs that they have created but don't want to be part
of the main distribution. Now they upload a new
On Sun, 30 Nov 1997, Brandon Mitchell wrote:
I'd also be interested in some kind of verification, so I can accept all
packages put together by some maintainer, and the maintainers on the
debian keyring, but no one else.
I had exactly the same idea in the previous KDE/virtual package
On Mon, 1 Dec 1997, Christian Schwarz wrote:
The default keyring would probably be the developers keyring. The
sysadmin could then add new keys of persons/organziations which he/she
trusts to that keyring.
Comments?
Err... yes.
Am I the only one seeing a bit of a problem here? (Or am I
Christian Schwarz wrote:
I suggest that we add a new control field to our packages called
Origin: (or similar). This could either be set to SPI or
Debian, for example. Then, all Debian packages should be signed
with some PGP key (either only one key for the whole system or by
the
On Mon, 1 Dec 1997, Marcelo E. Magallon wrote:
Am I the only one seeing a bit of a problem here? (Or am I missing
something I should know?) That is, PGP is non-US. To be able to put PGP
in the main distribution, the master FTP site has to be moved off the US.
I don't have a problem with
7 matches
Mail list logo