ftp site
nathan r. hruby
yellowdog-general@lists.terrasoftsolutions.com
Thu Mar 6 06:42:01 2003
On Thu, 6 Mar 2003, Chris Croome wrote:
> Hi
>
> On Wed 05-Mar-2003 at 11:53:36 -0500, nathan r. hruby wrote:
> >
> > Ick. No. p2p is nice, but unless you can ensure that the packages
> > haven't been tampered with, I want my updates from an official (or at
> > least "trusted") mirror or source.
>
> Isn't GPG/PGP signing of packages good enough for this?
>
No. I want things from a trusted source as well as gpg signed. Even
trusted sources can sometimes be corrupt -- see the recent trojaning of
various OSS packages from the ftp site in the last month.
p2p is a nice paradigm, don't get me wrong, just inappropriate for
trustworthy transactions at the current time (mainly becasue lack of a
identity/trust mechanism.. add a really good trust framework and it'll be
the perfect thing; however I don't see that happening as for trust to be
established, you need to have an identity to trust and identities are very
under-rated in today's world - esp. when all you want is to trade some
mp3's)
-n
--
----------------------------------------
nathan hruby <nathan@drama.uga.edu>
computer services specialist
uga drama
http://www.drama.uga.edu/support/
----------------------------------------