[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

Forgive me if this has already been suggested, I haven't read the whole thread.
One of the concerns is that we can only trust individual signatures, not those
of automated processes. Once all packages have accurate build-depends, security
conscious people could build from source since the source packages are signed by
individuals.  Then you could be sure that the source came from a particular
developer's machine.  The only way a trojan could sneak in then is if the
developer's machine had been compromised?


Fri, Jan 19, 2001 at 10:28:17AM +0100 wrote:
> On Friday 19 January 2001, at 10 h 7, the keyboard of Goswin Brederlow 
> <goswin.brederlow@student.uni-tuebingen.de> wrote:
> > In fact, it would give most people a false security. They would think
> > that packages are save just because they are signed.
> To support your view, a good explanation (suitable for executives) is in the 
> last CryptoGram, about an environment which claims loudly that code is signed:
> http://www.counterpane.com/crypto-gram-0101.html#10
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: