Packages and signatures

To: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>
Cc: Klaus Reimer <kay@debian.org>, debian-devel@lists.debian.org
Subject: Packages and signatures
From: Nicolás Lichtmaier <nick@debian.org>
Date: Thu, 18 Jan 2001 23:48:10 -0300
Message-id: <[🔎] 20010118234810.C1214@debian.org>
In-reply-to: <[🔎] 87itnc1q9f.fsf@mose.informatik.uni-tuebingen.de>; from goswin.brederlow@student.uni-tuebingen.de on Thu, Jan 18, 2001 at 10:53:16PM +0100
References: <[🔎] 01011819481401.00676@neo> <[🔎] 87itnc1q9f.fsf@mose.informatik.uni-tuebingen.de>

> The problem with signing packages is that you can't trust a computer
> to do it for obvious reasons (like building/installation of packages
> being done as root).

 That's nonsense. Security important points in a process aren't created by
adding a signature there. A key automatically used by ftp-master.debian.org
would be as secure as the process of building packages in that machine is
now, not more secure, not less secure.
 Again with diferent words: A key used by "dinstall" (or whatever its name
is now) will have the same degree of security/trust that packages that are
now built with it.

 It's sad that this missconception has prevented Debian from using signed
packages for so long.

Reply to:

Follow-Ups:
- Re: Packages and signatures
  - From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>
- Re: Packages and signatures
  - From: Riku Voipio <riku.voipio@iki.fi>
- Re: Packages and signatures
  - From: Wichert Akkerman <wichert@cistron.nl>

References:
- Secure apt-get
  - From: Klaus Reimer <kay@debian.org>
- Re: Secure apt-get
  - From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>

Prev by Date: Re: Logging on to debian machines
Next by Date: Re: woody/non-us broken?
Previous by thread: Re: Secure apt-get
Next by thread: Re: Packages and signatures
Index(es):
- Date
- Thread