Re: Packages and signatures
Forgive me if this has already been suggested, I haven't read the whole thread.
One of the concerns is that we can only trust individual signatures, not those
of automated processes. Once all packages have accurate build-depends, security
conscious people could build from source since the source packages are signed by
individuals. Then you could be sure that the source came from a particular
developer's machine. The only way a trojan could sneak in then is if the
developer's machine had been compromised?
Fri, Jan 19, 2001 at 10:28:17AM +0100 wrote:
> On Friday 19 January 2001, at 10 h 7, the keyboard of Goswin Brederlow
> <firstname.lastname@example.org> wrote:
> > In fact, it would give most people a false security. They would think
> > that packages are save just because they are signed.
> To support your view, a good explanation (suitable for executives) is in the
> last CryptoGram, about an environment which claims loudly that code is signed:
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org