[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MIPS port backlog, autobuilder machines and some arrogance

Matt Zimmerman <mdz@debian.org> writes:

> On Mon, Nov 17, 2003 at 03:56:44PM +0100, Goswin von Brederlow wrote:
> 
> > DDs have to sign and upload a package with a backdoor.
> > 
> > On the buildd I can install a gcc or other tool that will silently add
> > a backdoor to anything getting compiled and the buildd admin will sign
> > and upload the package for me.
> > 
> > Much more anonymous.
> 
> The whole point of signing packages is that it is not anonymous at all, but
> traceable back to the signer.  Assuming the keyholder protects his key
> adequately, there is reasonable assurance that the keyholder and the signer
> are the same person.

Exactly my point.

As a non DD running a buildd I have much more and anonymous access to
packages being build. I and some others are aparently trustworthy
enough by their DD friends but not by the DAM.

MfG
        Goswin
Reply to: