[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

>>>>> "Michael" == Michael Neuffer <neuffer@mail.uni-mainz.de> writes:

    Michael> I would consider the autobuilders as a kind of trusted
    Michael> entity that is able to sign the resulting packages
    Michael> itself.

I agree.

Sure, it is a bit of a compromise, but basically that just means that
the private key doesn't have a password.

I don't think this is an issue though --- if somebody has access to
the private key, then they probably could tamper around with the build
process anyway, and trick a human into signing a badly compiled
binary. At least this way is better then not signing the binary at
Brian May <bam@debian.org>

Reply to: