Christian Schwarz <[EMAIL PROTECTED]> writes: > I still think that it's not our job to "judge" which packages are fine and > which are not. What we can probably do, is to set up a web page which > explains packages from third parties and describes their problems, but > "hardcoded" a list into dpkg is too much, I think. If the user decides to > install a package from someone else, he/she should be free to do it. dpkg > could warn then, if the origin is unknown (i.e., if the PGP signature > can't be checked) but should actually perform the installation if some > --force-unknown-origin flag is set.
After further consideration, I agree. We can't go around second guessing and monitoring other "Origins". We should just support the origin field (and PGP verification), and leave it up to the user to decide which organizations they trust. -- Rob Browning <[EMAIL PROTECTED]> PGP fingerprint = E8 0E 0D 04 F5 21 A0 94 53 2B 97 F5 D6 4E 39 30

