[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Fri, 2003-12-05 at 04:54, Manoj Srivastava wrote:

> > The only one which comes to mind is a rogue Debian developer that
> > you do not wish to trust, even though the project trusts him.
> 	Not quite. The signed deb is non-repudiable authorship -- nice
>  to know whence the software cometh.

No it isn't. For it to be non-repudiable, you'd have to demonstrate that
the key has not been compromised; that the developer knew what he was
signing (as opposed to a trojaned gpg telling him one thing while doing
another); etc. Proving those is quite impossible --- especially if he
doesn't want you to: He can always compromise his own key, on purpose.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: