Re: Contributed packages and trust problem ?

> -----Original Message-----
> From: Raphaël Enrici [mailto:blacknoz(at)club-internet(dot)fr]
> Sent: 09 August 2003 19:14
> To: pgadmin-hackers(at)postgresql(dot)org
> Subject: [pgadmin-hackers] Contributed packages and trust problem ?
>
>
> Dear all,
>
> here is a question on which I'd like to get your opinion.
> Giuseppe Sacco
> contributed today a build of the debian packages for PowerPC
> architecture based on our Debian Source packages. As he is a
> member of
> the debian project, I think we can consider him as a trusty
> person. But
> what about other persons that may contribute builds for other
> architectures ? Did you faced this "problem" in the past ?

Never considered it in the past as I always did the builds. I think it is a valid problem though. Is there any way we can sign the source code such that when it's compiled we can verify that it was unmodified source?

> Is everybody ok to upload his files on snake (I vote yes) ?
> Another thing I wanted to talk about since days concerns
> signing of our
> packages. Is there something done for the moment ? Shall someone sign
> the files ? Shall every packager sign its own package ? I'm currently
> looking to what's done in Debian and will give you some
> feedback on it.

What did you have in mind, a pgp sig for each file? I don't see that as a problem for each packager to create.

Regards, Dave.