Re: Contributed packages and trust problem ?

Dave Page wrote:

>>-----Original Message-----
>>From: Raphaël Enrici [mailto:blacknoz(at)club-internet(dot)fr]
>>Sent: 09 August 2003 19:14
>>To: pgadmin-hackers(at)postgresql(dot)org
>>Subject: [pgadmin-hackers] Contributed packages and trust problem ?
>>
>>
>>Giuseppe Sacco
>>contributed today a build of the debian packages for PowerPC
>>architecture based on our Debian Source packages. As he is a
>>member of
>>the debian project, I think we can consider him as a trusty
>>person. But
>>what about other persons that may contribute builds for other
>>architectures ? Did you faced this "problem" in the past ?
>>
>>
>Never considered it in the past as I always did the builds. I think it is a valid problem though. Is there any way we can sign the source code such that when it's compiled we can verify that it was unmodified source?
>
Never heard about something like this....

>>Is there something done for the moment ? Shall someone sign
>>the files ? Shall every packager sign its own package ? I'm currently
>>looking to what's done in Debian and will give you some
>>feedback on it.
>>
>>
>What did you have in mind, a pgp sig for each file? I don't see that as a problem for each packager to create.
>
>
As RPM and DEB packages integrates gpg signatures, I just wanted to know
if their were a pgp/gpg key global to the pgAdmin team, something that
was used to sign the files of the project like binaries, sources, etc.
I'm ok to sign deb package by myself.
And wanted to know if you used by the past to sign the files ? For
example the source tarball and win32 packages.

Regards,

Raphaël