Re: Revival of the signed debs discussion
On Wed, Dec 03, 2003 at 03:17:20AM +0100, Goswin von Brederlow wrote:
> What the admins signature can gives us is a trusted timestamp and
> another pair of eyes reading the changes files.
Well, a trusted timestamp can be added/required by a third party. No need to
bother a build admin with signing of packages he cannot verify.
Just make a small web service which is receiving an
<packagename,version,hash> string and answer with a signed timestamp. There
are even services like that out there on the net.
> Don't get me wrong, I'm all for an gpg key on the buildd to sign every
> deb. Not as replacement to at least one person glancing over the
> result but as an extra measure.
How often has this person glance over the results? As I understand debian
build daemons run unattended and build continously. Correct me when I am wrong here.
But if I asume righ, I dont want to lose that processing speed, especially
since it can be easyly compensated with "3rd party" timestamps.
Greetings
bernd
--
(OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Reply to: