Re: buildds: "Authentication warning overridden."
On Fri, Nov 09, 2007 at 08:00:15PM -0600, Raphael Geissert wrote:
> Steve McIntyre wrote:
> > That's all well and good, but the buildds also depend on using
> > packages from (for example) incoming, which it is not feasible to
> > sign.
> Even tough incoming is not signed, packages require a valid DD/similar
> signature to be there.
> What I worry about is having a mirror or even the main archive compromised,
> because buildd's won't have a chance to possibly stop the attack because
> signatures aren't verified.
Won't somebody else stop the attack in their place then, who does check