Re: Revival of the signed debs discussion
Anthony DeRobertis <firstname.lastname@example.org> writes:
> On Fri, 2003-12-05 at 04:54, Manoj Srivastava wrote:
> > > The only one which comes to mind is a rogue Debian developer that
> > > you do not wish to trust, even though the project trusts him.
> > Not quite. The signed deb is non-repudiable authorship -- nice
> > to know whence the software cometh.
> No it isn't. For it to be non-repudiable, you'd have to demonstrate that
> the key has not been compromised; that the developer knew what he was
> signing (as opposed to a trojaned gpg telling him one thing while doing
> another); etc. Proving those is quite impossible --- especially if he
> doesn't want you to: He can always compromise his own key, on purpose.
If a package is compromised we can proof that the DD of the package
either is malicious or incompetent. Two good reasons to exclude
packages signed by him in the future. :)