Re: Packages and signatures
>>"Michael" == Michael Neuffer <email@example.com> writes:
>> You really think a signature by an automated process has any
>> security significance whatsoever?
Michael> In the context of our discussions in Atlanta (CVS/make world
Michael> et al.), it would have the advantage that the package would
Michael> be build in an clean common environment and not on one of
Michael> 500 different machines with 500 different configurations
Michael> where nobody knows who broke in already.
Please note that I restricted my remarks to the signature
issue. I am all for the make world (I even am volunteering to build
all the changes required into the cvs-buildpackage suite to make this
What we need is something like this: the Debian maintainers
sign the source packages (as we already do). The entity running
cvs-inject (or cvs-tree-inject) verifies the signature before
injection into the repository. The build process then build from
this; and the resulting deb is signed by one of the build team;
How we ensure the integrity of the repository, and the build
process itself needs to be determined. But just having a automated
build process merrily sign the resulting debs is, umm, simplistic.
Absence makes the heart grow fonder. Sextus Aurelius
Manoj Srivastava <firstname.lastname@example.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C