From: =?iso-8859-1?Q?Nicol=E1s_Lichtmaier?= <[EMAIL PROTECTED]>
> Yes, they are. Testing, and revising developers diffs. If you could check
> package MD5 (someday we'll be able to do this =3D) ), you'll only need to
> see the diff.gz to check for security problems (Asuming we can trust the
> mainstream developer).
What Nick is trying to say here is that we are working on procedures for
signing source packages all the way back to the original author, and making
it easy to see exactly what Debian has changed. We had it _almost_ right.
> The proble left is: The .deb uploaded can be generated by a source not
> included in the source package. It would be great if gcc placed some kind
> of signature in binaries...
But how do you guarantee that someone doesn't pervert gcc?
> let's make all developers upload only the source versions of their
> packages! An automated script can compile all the packages in some trusted
> environment.
When I last heard, we had some 240 (out of 900) packages not converted to
the new source format. This gets in the way of automatic compilation.
Volunteers to work on that are welcome.
Thanks
Bruce
--
Bruce Perens K6BP [EMAIL PROTECTED] 510-215-3502
Finger [EMAIL PROTECTED] for PGP public key.
PGP fingerprint = 88 6A 15 D0 65 D4 A3 A6 1F 89 6A 76 95 24 87 B3
