Notices

That is one of the many reasons why DEB packages should be required to have embedded GPG signature of a packager, like RPM-packages. If the packager is the same as the developer, even better.
http://manpages.ubuntu.com/manpages/...ebsigs.1p.html

Everyone interested in this discussion should see the SELinux thread and continue there.

For those not interested in reading that thread "just because" I point this question (replies to the SELinux thread please): How do you verify that the signature is actually of a real person that is actually the packager (and how to make this easy for the end-user?)

With Extras we know who uploaded it (not to the extent of a GPG signature, but at least to the extent of a username/password or SSH key) through the user of authenticated Extras Upload Assistant or scp/dput with pre-registered SSH key.

Not in the same league, of course, but almost certainly Good Enough (for now).

No it is not good enough, because people install packages also just by wget'ing them and installing with dpkg -i.
MITM-attack for example on open WLAN-accesspoints is really easy. Also many kind of redirections and tricks can be made so although the user thinks he is getting something from some netsite with Firefox/Fennec/microB/wget/lynx, (s)he instead gets the file attacker has changed.

Also, if some package has been installed now from a repository, and it has checked with Release.gpg that it is in fact that very same package what repository maintainers have checked for.

If there is a compromise in the system and you would like to know what files have been changed, in RPM-based system you can just check authenticity and integrity of any installed package with "rpm -V", because there still is the package's GPG-signature available locally, and if you want to be real sure, you check the filesystem externally using 100% trusted non tampered tools.

With DEB-system, once some package is updated, it is much more difficult to check that files from the package you have installed are non-tampered. The Release.gpg file supports only the recent version of that package in the repository.

IN RPM-based system, lets assume you think wget has been tampered when your friend's friend had a 5 minute time root access when you were visiting toilet. Let's assume, in the repository wget has a new version already. But you want to know if wget was tampered on your local system.
You just run command: rpm -V wget
It will check wget-package against all the md5sums and against the GPG-signature which was embedded in the package when you installed it.

application in development looks more for me than ovi..that is the temptation to try out any new apps

just wondering when ovi store will have many apps for n900

I got my N900 end of jan,. I am a linux noob .... started out using just the extras testing repo as from what i can read the worst that can happen in testing is an app could cause issues but uninstalling the app will sort it out.
then i started looking into devel repo and installing stuff from there .... i know that an app may mess my phone up totally but by reflashing i can sort it out.
I am now starting to (tentativley) use xterminal to change stuff (added the reboot button to power key menu)

All scary stuff but you gotta live on the wild side eh!

From Day 1, I installed extras-devel apps without any hesitation whatsoever.
Come on. What's the worse it can do? I'll reflash if it caused mine to not boot up properly.

I reckon I've installed about 100-200 extras-devel apps over the past few months.
Never had a single issue with any of them causing any global issues.
App itself might have been dodgy but if so, just uninstall it. No harm done.

Yes, people need to watch their rootfs space.
But Maemo5 OS should have some automatic monitoring/warning. No idea why it doesn't.

I want 0day apps. I want it now. Not after days/weeks/months. So I thank for extras-devel repo. =)