Package review status
Robert Collins
rbcollins@cygwin.com
Wed Sep 25 03:49:00 GMT 2002
On Wed, 2002-09-25 at 20:36, Chris January wrote:
> > > *Updated* packages are trusted by default. They can be uploaded w/o
> > > review.
>
> Not being funny, but this probably shouldn't be the case. I could easily
> spoof some mail headers and get a compromised binary uploaded. I think there
> should probably be a more thorough review process than there is for new
> packages as well. For example, when I posted the procps packages, did anyone
> check the binaries matched with the source code I posted? Did anyone check
> that the source code without the Cygwin-specific patch matched the canonical
> version? It only takes one mischievous person to ruin Cygwin's reputation.
> Sorry to be the harbringer of doom and gloom, but I do agree with what
> others have been saying that there has to be a mechanism to trust packagers.
Right, well I'll happily run generate checksums of what I download, and
if the poster to here posts the expected checksums, in a gpg signed
message, then we can be fairly sure that whomever sent the email,
created the package files.
Generating trust in a specific GPG signature takes time or a web of
trust, and is a related-but-separate discussion. I think that my GPG key
is well associated with me by now :] (Either that, or a very persistence
mimic :};}). One way would be for maintainers to follow a similar
approach and consistently sign their emails. YMMV.
Rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20020925/d0130f90/attachment.sig>
More information about the Cygwin-apps
mailing list