On Tue, 2003-11-04 at 11:13, David J. Bianco wrote: > Another emphatic YES from me. If we expect people to trust us for security > patches, we must provide them with some assurance that a) the fix works, and > b) it does not contain malicious code. Neither of these determinations > should be left up to a single person, and CERTAINLY not to the person who > submits the patch. > > I imagine the other Fedora developers are planning to address this problem, > since they also have to distribute code supplied by their semi-anonymous > developer community. Does anyone know how they plan to handle things? > > David fedora.redhat.com has indicated earlier that there will be a formal developer sign-up process where you need to sign legal forms and provide proof of identification. In addition to this I hope we will have something similar to fedora.us current ultra-paranoid use of GPG, signing developer keys only after they have proven their cluefulness and trustworthiness over the period of many months of submitting good packages, and providing good QA feedback for other packagers. Warren
