Re: Revival of the signed debs discussion
Henning Makholm <firstname.lastname@example.org> writes:
> Scripsit Goswin von Brederlow <email@example.com>
> > If a package is compromised we can proof that the DD of the package
> > either is malicious or incompetent.
> Say, we just had a major compromise on certain Debian machines. Pray
> tell, who do you think this proves is malicious or incompetent? We'd
> certainly want to toss out the culprit ASAP.
Say master gets compromised. I don't realy care, the deb signature of
the maintainer and buildds is still preventing any tampering. Each
signature adds another gpg key that has to be compromised to tamper
with exiting debs.