Re: Packages and signatures
> Nicolás> Yes, it's very reasonable (but all signatures should be
> Nicolás> from autobuilders, and no developer should be allowed to
> Nicolás> upload binaries, but that's another flamewar I won't start
> Nicolás> now =) ).
> You really think a signature by an automated process has any
> security significance whatsoever?
You are implying that dinstall shouldn't be trusted, and all our packages
are handled with a vulnerable daemon.
A signature only extends the trust you already have in the signing entity,
to the signed object. The signature won't make packages more secure than
dinstall itself is. We already have a level of trust in dinstall, that trust
will give that "security significance" to a dinstall signed object.