Re: dinstall and PGP

1998-04-15 Thread Adam Klein
On Tue, Apr 14, 1998 at 12:34:43AM +0200, Marco d'Itri wrote: > On Apr 09, Manoj Srivastava <[EMAIL PROTECTED]> wrote: > > >Those files are small. One can copy them back easily (using > > ftp, even), sign them locally, and upload two tiny files. > That's not enough. After I signed the .chang

Re: dinstall and PGP

1998-04-15 Thread Marco d'Itri
On Apr 09, Manoj Srivastava <[EMAIL PROTECTED]> wrote: > Those files are small. One can copy them back easily (using > ftp, even), sign them locally, and upload two tiny files. That's not enough. After I signed the .changes and .dsc files (and moved back the other files from REJECT/) I rece

Re: dinstall and PGP

1998-04-09 Thread Roman Hodek
> Can someone hack dinstall to install packages which are not PGP > signed but has been copied to incoming? If the UID of the files is > the one of a developer we can know who did upload the package. No, because the upload queues also use known UIDs, but may allow everyone to upload. (BTW, the qu

Re: dinstall and PGP

1998-04-09 Thread Manoj Srivastava
Hi, >>"Marco" == Marco d'Itri <[EMAIL PROTECTED]> writes: Marco> On Apr 08, Vincent Renardias <[EMAIL PROTECTED]> wrote: >> Anyway, I fail to see WHY we should allow non PGP signed packages. Marco> Because it's not easy to sign .dsc and .changes files via a ssh Marco> pipe when compiling packages

Re: dinstall and PGP

1998-04-09 Thread Marco d'Itri
On Apr 08, Vincent Renardias <[EMAIL PROTECTED]> wrote: >Definatly not an option, since people uploading anonymously to chiark >would be able to upload whatever in the distribution since the files >arrive in Incoming/ with IanJ's UID (also hold for other upload queues). We could maintain a list

Re: dinstall and PGP

1998-04-09 Thread Fabien Ninoles
On Wed, Apr 08, 1998 at 08:50:56PM +0100, Enrique Zanardi wrote: > On Wed, Apr 08, 1998 at 08:23:48PM +0200, Marco d'Itri wrote: > > Can someone hack dinstall to install packages which are not PGP signed > > but has been copied to incoming? If the UID of the files is the one of a > > developer we c

Re: dinstall and PGP

1998-04-08 Thread Vincent Renardias
On Wed, 8 Apr 1998, Marco d'Itri wrote: > Can someone hack dinstall to install packages which are not PGP signed > but has been copied to incoming? If the UID of the files is the one of a > developer we can know who did upload the package. Definatly not an option, since people uploading anonymou

Re: dinstall and PGP

1998-04-08 Thread Enrique Zanardi
On Wed, Apr 08, 1998 at 08:23:48PM +0200, Marco d'Itri wrote: > Can someone hack dinstall to install packages which are not PGP signed > but has been copied to incoming? If the UID of the files is the one of a > developer we can know who did upload the package. No. We know which account the upload