[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

>  Nicolás>  Yes, it's very reasonable (but all signatures should be
>  Nicolás> from autobuilders, and no developer should be allowed to
>  Nicolás> upload binaries, but that's another flamewar I won't start
>  Nicolás> now =) ).
> 	You really think a signature by an automated process has any
>  security significance whatsoever? 

 You are implying that dinstall shouldn't be trusted, and all our packages
are handled with a vulnerable daemon.

 A signature only extends the trust you already have in the signing entity,
to the signed object. The signature won't make packages more secure than
dinstall itself is. We already have a level of trust in dinstall, that trust
will give that "security significance" to a dinstall signed object.

Reply to: