Hi Adrian, Adrian Schröter schrieb:
On Friday 03 August 2007 14:53:37 wrote Petr Cerny:
Hi,
is there some way to tell apart BS users from SuSE/Novell and "external" ones or add some "verified" tag to some package?
Why am I asking: users of packages from BS might put less trust into packages which are not "official enough" i.e. those, that aren't even packaged by someone from SuSE.
We have a trust interface on our todo since quite a while, but we had no time to work on that yet.
You are right, we need something, where a user can decide if he can trust it or not, based on some defined criterias.
Regarding this, I would like to see something like in Debian. A web of trust of developers is very good. A user can trust someone, who is known by other developers of the global project. This means, source uploads or better the binaries should be signed by the uploader, independend of the project in BS.
I would be very happy, if someone wants to make a proposal document, or maybe even want to work on that. We would be happy to help such a person to solve problems and to move forward.
Independend of this, I have on my todo to improve the situation of project signing, so that the package manager can validates individual projects.
Seeing BS as (todays) main package repository, all projects (including their packages) which are distributed from BS (or being pushed from BS towards the mirrors) should be signed by the maintainer of the BS system. Therefore the customer, hmm..sorry, the user can trust the BS or the mirror, that the binaries are coming from the original BS, and he can trust the packager (it doesn't matter if it's an official opensuse / suse / novell project, or just a one man project), when he checks the web of trust behind the packager. Just an idea, Good night :) \sh --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org