Re: Revival of the signed debs discussion

[Henning Makholm <henning@makholm.net>]

Scripsit Wouter Verhelst <wouter@grep.be>

> Requiring us to log in to the autobuilder to sign the .deb remotely is
> not acceptable, for two reasons:
> * it's way too much work for most of us
> * it requires copying the secret key over, which is, uh, a bad idea.

Um, perhaps this is really stupid but: Since the signature on an
autobuilt .deb is not really worth more than the security of the
autobuilder, wouldn't it make sense to give the autobuilder its own
keypair that it stores locally with no passphrase and uses to sign
packages unattended?

If an attacker compromises the buildd to the point where he can gain
access to its secret key, he could just as well attack its build
environment, or simply use his access to convincingly forge an email
to you, asking you to sign a malicious package.

-- 
Henning Makholm            "We can hope that this serious deficiency will be
                      remedied in the final version of BibTeX, 1.0, which is
            expected to appear when the LaTeX 3.0 development is completed."