The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new maintainer verification

[ Please don't Cc: me when replying to my message on a mailing list. ]

Bruce Perens:
> My main concern is that a rogue maintainer could get a login on master
> (we don't check their background much now) and then upload a package
> with a time-bomb or trojan horse.

Unless we can have trusted people review all the source code
(and compile binaries from reviewed source code), we're going
to be open to an attack. I doubt we can find enough trusted
reviewers.

> The FTP archive (not Incoming) could be made group-write-only, with 10
> or so people we know well in the group. However, my main concern is that
> we verify the identity of the people we give login privileges on master.

The easiest way might be to disallow logins altogether, except
for a small number of trusted people. Uploads could be done via
anonymous FTP; identity of uploader would be proved by the PGP
signature on .changes (with some way to handle the French).

-- 
Please read <http://www.iki.fi/liw/mail-to-lasu.html> before mailing me.
Please don't Cc: me when replying to my message on a mailing list.

Attachment: pgpcVfjxNCdMI.pgp
Description: PGP signature