[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Fri, 2003-12-05 at 22:46, Goswin von Brederlow wrote:

> > No it isn't. For it to be non-repudiable, you'd have to demonstrate that
> > the key has not been compromised; that the developer knew what he was
> > signing (as opposed to a trojaned gpg telling him one thing while doing
> > another); etc. Proving those is quite impossible --- especially if he
> > doesn't want you to: He can always compromise his own key, on purpose.
> If a package is compromised we can proof that the DD of the package
> either is malicious or incompetent. Two good reasons to exclude
> packages signed by him in the future. :)

Would you care to send that to <debian-admin@lists.debian.org>, perhaps?

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: