On Thu, 2004-11-04 at 23:45 +0100, Féliciano Matias wrote:
Le jeudi 04 novembre 2004 à 15:37 -0500, Peter Jones a écrit :
Also note that those which are signed are currently signed by hand, and one thing people have been advocating is automatic signing. Automatic signing, I'll obviously argue, is a total loss.
What is a ssl server if it's not an automatic signing machine ? Total loss...
That's completely ignoring the contexts of package distribution and the policies put in place by current package update tools. None of them trust packages *just* because they are fetched over SSL, nor do they reject packages which aren't.