[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: buildds: "Authentication warning overridden."

Raphael Geissert wrote:
>Hi all,
>It's not uncommon to see buildds (actually build tools) override the
>package/Release signature warning.
>So I was wondering, what is the point of having such a signatures
>verification system if the build systems do not care about them?
>I know the main target is to prevent end users from downloading
>compromised/not-legitimate packages. But, I'm thinking about a possible
>package compromise and buildd's using such affected packages and leaving
>the possibility to have the built packages also compromised.
>Wouldn't it be better to have the buildd's verify the Release signature
>rather than just overriding the warning?

That's all well and good, but the buildds also depend on using
packages from (for example) incoming, which it is not feasible to

Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I can't ever sleep on planes ... call it irrational if you like, but I'm
 afraid I'll miss my stop" -- Vivek Dasmohapatra

Reply to: