Re: Bits (Nybbles?) from the Vancouver release team meeting
Op ma, 14-03-2005 te 19:15 +0100, schreef Sven Luther:
> so the buildd admin really examine all the packages for deviation that a
> compromised buildd could have incorporated before signing them ? Or that they
> scan the machine for a compromise and always detect them before signing ?
As you know, nothing gets uploaded to the archive without it having a
gpg signature by a key in the Debian gpg keyring. That goes for
autobuilt packages, too.
Also, I never sign stuff unless it gets through my filters and into the
right Maildir (and one of the things my filters check is the 'From'
address), so only the correct host will be able to upload.
Apart from that, I regularly log in to my buildd hosts, and check up on
them. If the host were compromised, I'd notice -- just as much as I'd
notice if anyone would compromise my firewall.
smog | bricks
AIR -- mud -- FIRE
soda water | tequila
-- with thanks to fortune