Re: Official Debian digital 'branding' of debs
Manoj Srivastava <firstname.lastname@example.org> writes:
> As to autobuild daemons, they never get close to the Master
> key. Evewry package is not signed by the Master key, only the
> Debian-keyring package is. The Master key merely ensures that the
> keys in the keyring package you have are officially sanctioned.
So deb files wont be signed at all, or signed by the autobuilders.
Hacking the autobuilders and stealing the key is all you need. The
password for the key will be in the shell enviroment, so thats easy to
get, once you hacked the comp.
There would be no security gained from a signed keyring package, not
for deb files anyway.