On Thu, Dec 26, 2013 at 09:47:17PM +0200, Eduard - Gabriel Munteanu wrote: > I don't want to bash people for this, but I feel security isn't being taken > seriously; see bug #722906, look how the package manager gladly goes about > building unverified packages and probably a bunch of other things I might > have not noticed yet and make me want to abandon Debian completely on > machines I admin. Your choice. But we serve GPG signatures and most Debian developers are part of the strong set, so you should be able to find a trustpath to the key there. It's like the trust into Linux. It's mirrored everywhere and someone trustable is bound to have a copy of the keyring to bootstrap. Yes, we do not trust the SSL cartel and use Web of Trust. Kind regards Philipp Kern
Attachment:
signature.asc
Description: Digital signature