[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trust in the Debian Build Process

>>"Torsten" == Torsten Landschoff <t.landschoff@gmx.net> writes:

 Torsten> What can we do against this? I guess most of the users at
 Torsten> most verify their packages using the Debian keyring from the
 Torsten> mirror/cd, so somebody could even circumvent the digital
 Torsten> signature by changing the key of a developer in the
 Torsten> keyring...

	Correct. We do not have a serious security policy in place,
 just one that is ``secure enough''.  Ian Jackson once proposed a
 formal security fgramework (involving three interlocking highly
 secure keys, and a signing key), with which every package would be
 detached signed, but we never got around to implementing it

 Always store beer in a dark place. Lazarus Long
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to: