|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] trusting linux packages
|
On Wednesday 09 December 2009 17:33:27 sean finney wrote:
> On Wed, Dec 09, 2009 at 03:12:42PM -0500, Greg Helledy wrote:
> > Repositories where someone takes responsibility for what's there, like
> > backports.org and debian-multimedia.org are (hopefully?) very different
> > from sites where "sk8-237" just uploaded his cool new screensaver, and
> > none of the other 2 users who've tried it have posted any complaints.
>
> also note that both backports and debian-multimedia are signed
> repositories, i.e. you can (a) verify that the packages are genuine and
> not modified by someone other than the signer, and (b) inspect who the
> signer is, to see if he/she is someone you want to trust with root
> privilege on your box.
>
OK. So I have been using this package, DavMail (davmail.sourceforge.net) that
isn't in any repository. This one isn't a problem. I have had conversations
with the developer and he is active on the user mail list.
But there is a lot of software out there like this which is very useful --
sometimes necessary -- to get the job done. DavMail, for instance is the only
stable way I have found to access Exchange 2007 on an open source PIM.
This presents a difficult dilema in *how* you establish that initial trust.
--
Art Alexion
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|