Re: Packages and signatures
Quoting Manoj Srivastava (srivasta@debian.org):
> >>"Michael" == Michael Neuffer <neuffer@mail.uni-mainz.de> writes:
>
> >> You really think a signature by an automated process has any
> >> security significance whatsoever?
>
> Michael> In the context of our discussions in Atlanta (CVS/make world
> Michael> et al.), it would have the advantage that the package would
> Michael> be build in an clean common environment and not on one of
> Michael> 500 different machines with 500 different configurations
> Michael> where nobody knows who broke in already.
>
> Please note that I restricted my remarks to the signature
> issue. I am all for the make world (I even am volunteering to build
> all the changes required into the cvs-buildpackage suite to make this
> happen)
>
> What we need is something like this: the Debian maintainers
> sign the source packages (as we already do). The entity running
> cvs-inject (or cvs-tree-inject) verifies the signature before
> injection into the repository. The build process then build from
> this; and the resulting deb is signed by one of the build team;
>
> How we ensure the integrity of the repository, and the build
> process itself needs to be determined. But just having a automated
> build process merrily sign the resulting debs is, umm, simplistic.
How are the autobuilders doing it at the moment ?
IIRC the resulting binary packages are not beeing signed by the
maintainers anymore, or by somebody maintaining one of the
autobuilders.
The sheer volume of packages beeing build for the growing number
of architectures makes it hmmmmm... at least inpractical as long
as we do not have a full time package signer paid by somebody.
I would consider the autobuilders as a kind of trusted entity
that is able to sign the resulting packages itself.
Mike
Reply to: