Art Alexion on 10 Dec 2009 05:01:48 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] trusting linux packages

On Wednesday 09 December 2009 17:33:27 sean finney wrote:
>   On Wed, Dec 09, 2009 at 03:12:42PM -0500, Greg Helledy wrote:
> > Repositories where someone takes responsibility for what's there, like 
> > and are (hopefully?) very different 
> > from sites where "sk8-237" just uploaded his cool new screensaver, and 
> > none of the other 2 users who've tried it have posted any complaints.
> also note that both backports and debian-multimedia are signed
>  repositories, i.e. you can (a) verify that the packages are genuine and
>  not modified by someone other than the signer, and (b) inspect who the
>  signer is, to see if he/she is someone you want to trust with root
>  privilege on your box.

OK.  So I have been using this package, DavMail ( that 
isn't in any repository.  This one isn't a problem.  I have had conversations 
with the developer and he is active on the user mail list.

But there is a lot of software out there like this which is very useful -- 
sometimes necessary -- to get the job done.  DavMail, for instance is the only 
stable way I have found to access Exchange 2007 on an open source PIM.

This presents a difficult dilema in *how* you establish that initial trust.

Art Alexion
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --