Re: Packages and signatures

To: debian-devel@lists.debian.org
Subject: Re: Packages and signatures
From: Brian May <bam@debian.org>
Date: 02 Feb 2001 10:42:58 +1100
Message-id: <[🔎] 8466iux94t.fsf@snoopy.apana.org.au>
In-reply-to: neuffer@mail.uni-mainz.de's message of "1 Feb 01 23:14:21 GMT"
References: <20010127231152.A830@debian.org> <20010127224509.Q19317@alcor.net> <20010128030306.A3706@debian.org> <20010128155213.X19317@alcor.net> <20010130230915.A8289@debian.org> <84g0i0l8ig.fsf@snoopy.apana.org.au> <20010131201212.B765@debian.org> <[🔎] 87k87ayit6.fsf@glaurung.green-gryphon.com> <[🔎] 20010201115848.A5087@mail.uni-mainz.de> <[🔎] 87vgqum72i.fsf@glaurung.green-gryphon.com> <[🔎] 20010202001421.C24243@mail.uni-mainz.de>

>>>>> "Michael" == Michael Neuffer <neuffer@mail.uni-mainz.de> writes:

    Michael> I would consider the autobuilders as a kind of trusted
    Michael> entity that is able to sign the resulting packages
    Michael> itself.

I agree.

Sure, it is a bit of a compromise, but basically that just means that
the private key doesn't have a password.

I don't think this is an issue though --- if somebody has access to
the private key, then they probably could tamper around with the build
process anyway, and trick a human into signing a badly compiled
binary. At least this way is better then not signing the binary at
all.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: Packages and signatures
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages and signatures
  - From: Michael Neuffer <neuffer@mail.uni-mainz.de>
- Re: Packages and signatures
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Packages and signatures
  - From: Michael Neuffer <neuffer@mail.uni-mainz.de>

Prev by Date: Re: RFC: Central version control for Debian
Next by Date: Re: RFC: Central version control for Debian
Previous by thread: Re: Packages and signatures
Next by thread: Re: Packages and signatures
Index(es):
- Date
- Thread