Re: Packages and signatures

To: Manoj Srivastava <srivasta@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Packages and signatures
From: Nicolás Lichtmaier <nick@debian.org>
Date: Fri, 2 Feb 2001 23:41:25 -0300
Message-id: <[🔎] 20010202234125.F1848@debian.org>
In-reply-to: <[🔎] 87k87ayit6.fsf@glaurung.green-gryphon.com>; from srivasta@debian.org on Thu, Feb 01, 2001 at 01:16:21AM -0600
References: <20010127151936.A22490@taral.dhs.org> <20010127171349.M19317@alcor.net> <20010127231152.A830@debian.org> <20010127224509.Q19317@alcor.net> <20010128030306.A3706@debian.org> <20010128155213.X19317@alcor.net> <20010130230915.A8289@debian.org> <84g0i0l8ig.fsf@snoopy.apana.org.au> <20010131201212.B765@debian.org> <[🔎] 87k87ayit6.fsf@glaurung.green-gryphon.com>

>  Nicolás>  Yes, it's very reasonable (but all signatures should be
>  Nicolás> from autobuilders, and no developer should be allowed to
>  Nicolás> upload binaries, but that's another flamewar I won't start
>  Nicolás> now =) ).
> 
> 	You really think a signature by an automated process has any
>  security significance whatsoever? 

 You are implying that dinstall shouldn't be trusted, and all our packages
are handled with a vulnerable daemon.

 A signature only extends the trust you already have in the signing entity,
to the signed object. The signature won't make packages more secure than
dinstall itself is. We already have a level of trust in dinstall, that trust
will give that "security significance" to a dinstall signed object.

Reply to:

References:
- Re: Packages and signatures
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: Packages and signatures
Next by Date: Re: changing to GnuPG
Previous by thread: Re: Packages and signatures
Next by thread: Re: Packages and signatures
Index(es):
- Date
- Thread