Re: How to improve archive verification possibilities for the future
On Sun, 2003-11-30 at 05:06, Isaac Jones wrote:
> Marc Haber <mh+debian-devel@zugschlus.de> writes:
>
> >> The Release files for unstable and testing still have to be signed
> >> automatically, but I'd really prefer to have that done by
> >> downloading the file to a non-public machine, signing there and
> >> re-uploading. Additionally, I'd like to have snapshots (for
> >> example all four weeks) to be signed manually with an off-line key.
>
> Since the signing of the Release files is probably one of the weakest
> points in the chain, perhaps the key which hosts this key should be
> running SELinux or something? That doesn't help if the build servers
> are cracked, but it does defend against some attacks.
>
Adamantix, http://www.adamantix.org/
may be a better choice.
Regards,
David.
Reply to: