Matt Zimmerman
mdz at ubuntu.com
Sun Oct 23 15:34:40 CDT 2005
On Sun, Oct 23, 2005 at 06:40:58PM +0200, Jeff Waugh wrote:
> <quote who="Evan Dandrea">
>
> > I think this is the wrong idea. If in a future version of Ubuntu I can
> > click on any .deb on the web and get prompted to install it, we'll have
> > every problem with spyware that Microsoft currently faces.
>
> Interesting point - certainly more of a problem given that we don't have
> individual package signing.
Individual package signing isn't much better, since there's generally no
trust path to the key. Why would you trust a key that says "I came from
vendor <foo>" any more than a package which says "I came from vendor <foo>"?
For software in official Ubuntu repositories, the trust path goes all the
way back to the installation media.
--
- mdz
More information about the ubuntu-devel
mailing list