On Tuesday 17 May 2005 20:22, Sunny wrote:
Which says that my kaffeine was packaged by packman, and if I need, I have to look for his rpmkey.
packman isn't one person, it is a web site where several people (and therefore several gpg keys) contribute. You'd need to import them all. Also note that blindly importing keys you don't know anything about is no better than just ignoring the key completely. Trust is everything. Not saying you can't trust the keys in apt, I'm just saying you need to think about what you're doing. Do you know who the person is? Can he/she be traced if there's a major problem with the packages? Blind trust is stupid trust This isn't a problem now (perhaps. There are many 'regular users' contributing to the package repos that I know nothing at all about), but it will be in future as linux grows in popularity. Even now it would be a piece of cake to spread malicious code, simply create a package, subscribe to this list using some anonymous address and start promoting the package. So far I have seen very few people that appear like they would think twice about installing it. Please don't let Linux go down the same security quagmire that other OSes has. Please think. And to the admins of these repos: please consider establishing a web of trust where everything is transparent, so end users can see what's going on and who is involved