[Hamara-devel] Talk about having big red flashing security warnings for unsigned packages

[shirish]

Hi all,
There is talk/discussion in debian/devel about how to have big red 
flashing security warnings for unsigned packages. What happens currently 
is I can install packages that I build locally either using 
dpkg-buildpackage, fakeroot or any other package I desire. It does show 
up when I query for orphaned packages using apt-get or aptitude. But 
that also is because I know that they will show up there.

This is/will be good if that infrastructure comes up as we would be able 
to make it mandatory to have packages that are signed by us and perhaps 
Debian as well.

There is yet no discussion about how this eventual infrastructure would 
look like and work although if you read through the thread you would see 
that the idea/concept has been around 2k9 and even before.

There is also talk about having external developer repositories which 
can maintain software which for various reasons cannot be included into 
Debian apart from being non-free (for e.g. too volatile, for e.g. 
diaspora itself which DD's have to have some sort of control with the 
versions of ruby libraries but if you look at upstream it's like trying 
to control a running train). There are quite a number of packages which 
would benefit from it, some which are packaged, some which are not 
packaged as well.

See https://lists.debian.org/debian-devel/2015/06/msg00084.html for part 
of the fascinating discussion.
-- 
Regards,
Shirish Agarwal,
Community Lead,
Hamaralinux.org