Re: buildds: "Authentication warning overridden."
Raphael Geissert wrote:
>Hi all,
>
>It's not uncommon to see buildds (actually build tools) override the
>package/Release signature warning.
>So I was wondering, what is the point of having such a signatures
>verification system if the build systems do not care about them?
>
>I know the main target is to prevent end users from downloading
>compromised/not-legitimate packages. But, I'm thinking about a possible
>package compromise and buildd's using such affected packages and leaving
>the possibility to have the built packages also compromised.
>
>Wouldn't it be better to have the buildd's verify the Release signature
>rather than just overriding the warning?
That's all well and good, but the buildds also depend on using
packages from (for example) incoming, which it is not feasible to
sign.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"I can't ever sleep on planes ... call it irrational if you like, but I'm
afraid I'll miss my stop" -- Vivek Dasmohapatra
Reply to: