On Fri, Jan 22, 2010 at 1:08 PM, Eero Tamminen <[email protected]> wrote: > There must be somebody who is responsible for the uploaded package and > some way to contact him. The uploader must have somehow verified that > the package isn't e.g. malicious (even if it's just taken from a trusted > source). > > If it's a team, they might even share the ssh-key. But I think it would > be better to have some configuration thing where Maintainer can grant > upload rights for his package to others he trusts. > [snip]
I (personally) think that the Maintainer field doesn't need to match a valid user in garage, but I also think that we should have a obligatory PGP signing (authenticated by the autobuilder), which can then be shared by members of a team (for team maintained packages). The e-mail itself is IMHO only a small percent of what can be manipulated on a package... Ok we have md5 sums, but PGP gives both integrity and authorship guarantees, and any rebuilds by third parties (intentional or not) will invalidate the PGP signature. My two cents, -- Anderson Lizardo OpenBossa Labs - INdT Manaus - Brazil _______________________________________________ maemo-developers mailing list [email protected] https://lists.maemo.org/mailman/listinfo/maemo-developers
