Re: Trust in the Debian Build Process

To: debian-devel@lists.debian.org
Subject: Re: Trust in the Debian Build Process
From: Manoj Srivastava <srivasta@datasync.com>
Date: 02 Dec 1998 01:27:38 -0600
Message-id: <[🔎] 871zmjvw9h.fsf@tiamat.golden-gryphon.com>
In-reply-to: Torsten Landschoff's message of "Mon, 30 Nov 1998 12:03:33 +0100"
References: <19981116142900.B19100@sobolev.rhein.de> <19981128193217.B4230@wi.leidenuniv.nl> <19981130120333.A5965@wormhole.galaxy>

Hi, 
>>"Torsten" == Torsten Landschoff <t.landschoff@gmx.net> writes:

 Torsten> What can we do against this? I guess most of the users at
 Torsten> most verify their packages using the Debian keyring from the
 Torsten> mirror/cd, so somebody could even circumvent the digital
 Torsten> signature by changing the key of a developer in the
 Torsten> keyring...

	Correct. We do not have a serious security policy in place,
 just one that is ``secure enough''.  Ian Jackson once proposed a
 formal security fgramework (involving three interlocking highly
 secure keys, and a signing key), with which every package would be
 detached signed, but we never got around to implementing it

	mnanoj
.
-- 
 Always store beer in a dark place. Lazarus Long
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to:

Follow-Ups:
- Bureaucracy
  - From: David Welton <davidw@gate.cks.com>

Prev by Date: Future of fvwm2-plus
Next by Date: Re: APT [was Re: Is this really the right thing to do?]
Previous by thread: Re: Future of fvwm2-plus
Next by thread: Bureaucracy
Index(es):
- Date
- Thread