[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

>>"Michael" == Michael Neuffer <neuffer@mail.uni-mainz.de> writes:

 >> You really think a signature by an automated process has any
 >> security significance whatsoever? 

 Michael> In the context of our discussions in Atlanta (CVS/make world
 Michael> et al.), it would have the advantage that the package would
 Michael> be build in an clean common environment and not on one of
 Michael> 500 different machines with 500 different configurations
 Michael> where nobody knows who broke in already.

	Please note that I restricted my remarks to the signature
 issue. I am all for the make world (I even am volunteering to build
 all the changes required into the cvs-buildpackage suite to make this

	What we need is something like this: the Debian maintainers
 sign the source packages (as we already do). The entity running
 cvs-inject (or cvs-tree-inject) verifies the signature before
 injection into the repository. The build process then build from
 this; and the resulting deb is signed by one of the build team; 

	How we ensure the integrity of the repository, and the build
 process itself needs to be determined. But just having a automated
 build process merrily sign the resulting debs is, umm, simplistic.

 Absence makes the heart grow fonder. Sextus Aurelius
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: