On 2015-02-12 18:20, Nikolaus Rath wrote: > Christian Kastner <[email protected]> writes: >> I highly disagree. "Contributing to Debian for 5 years" alone is well >> within the means and patience of various organizations with potentially >> malicious intentions. > > Does that mean you're individually verifying the credentials of whatever > developer signed an upload before running dpkg -i?
I don't have any packages installed via dpkg -i. I don't have a use case for that (is this common?) I install all my packages via apt-get or aptitude, and I only use official mirrors, where the Release files are signed by an archive key, which is signed by DDs, who's identity I can rely on through the web of trust. I install all the stuff I don't trust on a Windows box (with the other software I very rarely use, but occasionally need). > I believe at the moment Debian doesn't even enforce any number or > period of contributions, so I'm curious what it means for you in > practice to generally not trust Debian developers. Nonsense. I generally trust anyone who's key is in the keyring. Most people in there have a multitude of signatures, so that increases my confidence in their identity even more. However, those are not the people you are talking about. The argument you are raising is that people could be trustworthy even if they have had *zero* personal identity verification. And I maintain that those people cannot be trusted with unrestricted upload rights to the archive. That person-noone-has-ever-met but occasionally-prepares-and-uploads-packages could just be a well motivated person (or a group of people -- who knows?) hoping to eventually compromise a popluar OS such as Debian, with zero risk of personal consequences, or criminal prosecution. I know, from personal experience, that getting a key signed can be hard. But I think it's not just an acceptable, but perfectly reasonable hurdle to clear for the power that you are granted (via upload rights). Regards, Christian -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
