[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Wed, Dec 03, 2003 at 03:17:20AM +0100, Goswin von Brederlow wrote:
> What the admins signature can gives us is a trusted timestamp and
> another pair of eyes reading the changes files.

Well, a trusted timestamp can be added/required by a third party. No need to
bother a build admin with signing of packages he cannot verify.

Just make a small web service which is receiving an
<packagename,version,hash> string and answer with a signed timestamp. There
are even services like that out there on the net.

> Don't get me wrong, I'm all for an gpg key on the buildd to sign every
> deb. Not as replacement to at least one person glancing over the
> result but as an extra measure.

How often has this person glance over the results? As I understand debian
build daemons run unattended and build continously. Correct me when I am wrong here.

But if I asume righ, I dont want to lose that processing speed, especially
since it can be easyly compensated with "3rd party" timestamps.

  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to: