Re: Packages and signatures
>>>>> "Michael" == Michael Neuffer <neuffer@mail.uni-mainz.de> writes:
Michael> I would consider the autobuilders as a kind of trusted
Michael> entity that is able to sign the resulting packages
Michael> itself.
I agree.
Sure, it is a bit of a compromise, but basically that just means that
the private key doesn't have a password.
I don't think this is an issue though --- if somebody has access to
the private key, then they probably could tamper around with the build
process anyway, and trick a human into signing a badly compiled
binary. At least this way is better then not signing the binary at
all.
--
Brian May <bam@debian.org>
Reply to: