Re: Packages and signatures
Forgive me if this has already been suggested, I haven't read the whole thread.
One of the concerns is that we can only trust individual signatures, not those
of automated processes. Once all packages have accurate build-depends, security
conscious people could build from source since the source packages are signed by
individuals. Then you could be sure that the source came from a particular
developer's machine. The only way a trojan could sneak in then is if the
developer's machine had been compromised?
-David
Fri, Jan 19, 2001 at 10:28:17AM +0100 wrote:
> On Friday 19 January 2001, at 10 h 7, the keyboard of Goswin Brederlow
> <goswin.brederlow@student.uni-tuebingen.de> wrote:
>
> > In fact, it would give most people a false security. They would think
> > that packages are save just because they are signed.
>
> To support your view, a good explanation (suitable for executives) is in the
> last CryptoGram, about an environment which claims loudly that code is signed:
>
> http://www.counterpane.com/crypto-gram-0101.html#10
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: