[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Packages and signatures

> The problem with signing packages is that you can't trust a computer
> to do it for obvious reasons (like building/installation of packages
> being done as root).

 That's nonsense. Security important points in a process aren't created by
adding a signature there. A key automatically used by ftp-master.debian.org
would be as secure as the process of building packages in that machine is
now, not more secure, not less secure.
 Again with diferent words: A key used by "dinstall" (or whatever its name
is now) will have the same degree of security/trust that packages that are
now built with it.

 It's sad that this missconception has prevented Debian from using signed
packages for so long.

Reply to: