[haiku-depot-web] Re: Dealing with Multiple Repositories and Conflicts
- From: Stephan Aßmus <superstippi@xxxxxx>
- To: haiku-depot-web@xxxxxxxxxxxxx
- Date: Thu, 21 May 2015 17:44:50 +0200
Hi,
Am 21.05.2015 um 17:32 schrieb Alexander G. M. Smith:
Which brings up the question of trust. There isn't any malware now,
but it would be nice to know which packages were legitimate, perhaps
by having checksums for vetted packages, or a digital signature.
Maybe we also need repository ratings :-)
We rely heavily on our web of trust. There will be a barrier, since a
group of admins controls which repos are added to HDS. I think if
someone misuses this trust, i.e. puts up a repo which looks legit and
does not contain malware, and sometime after it is added to HDS someone
becomes aware that it does contain malware (newly added or since
before), it should simply be removed from HDS immediately. I don't think
it makes sense to "downvote" it over a period of time. Which also means
that there should be an extra channel for users to report malware. (Like
this "report abuse" button that was mentioned earlier.) It may take a
human anyway to decide what to do. For example the repo provider could
be notified of a single malware package. Or it becomes clear that the
whole repo should be removed from HDS instead...
Best regards,
-Stephan
Other related posts: