Re: fakeroot a solution for multi-architecture building?

[joost@rulcmc.leidenuniv.nl (joost witteveen)]

> The packages are only handled by the arch-specific builders AFTER
> Guy has got them through his procedure of bringing them into the
> distribution for the initial architectures. They are already verified
> as authentic.

The .deb (for new arch) packages cannot be verified as authentic, 
as they don't exist before the arch-specific builders build them.

>  The arch-specific builders could have a special pgp
> key to authenticate uploades coming from them like any other developer.


Yes, I know all that. But the point is, that these arch-specific builders
_have_ to auto-sign the .deb packages they build. That means there
is a plaintext key _somewhere_ on those arch-specific builders,
and that seems to open security holes to me.

Yes, the .tar.gz is authentic, but the .deb's cannot be (well, unless
you fully trust those machines).


-- 
joost witteveen, joostje@debian.org
#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)
#what's this? see http://www.dcs.ex.ac.uk/~aba/rsa/


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .