Re: fakeroot a solution for multi-architecture building?
> The packages are only handled by the arch-specific builders AFTER
> Guy has got them through his procedure of bringing them into the
> distribution for the initial architectures. They are already verified
> as authentic.
The .deb (for new arch) packages cannot be verified as authentic,
as they don't exist before the arch-specific builders build them.
> The arch-specific builders could have a special pgp
> key to authenticate uploades coming from them like any other developer.
Yes, I know all that. But the point is, that these arch-specific builders
_have_ to auto-sign the .deb packages they build. That means there
is a plaintext key _somewhere_ on those arch-specific builders,
and that seems to open security holes to me.
Yes, the .tar.gz is authentic, but the .deb's cannot be (well, unless
you fully trust those machines).
--
joost witteveen, joostje@debian.org
#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)
#what's this? see http://www.dcs.ex.ac.uk/~aba/rsa/
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: