Re: buildds: "Authentication warning overridden."
[I read the list, no need to reply To me, thanks]
Steve McIntyre wrote:
> That's all well and good, but the buildds also depend on using
> packages from (for example) incoming, which it is not feasible to
Even tough incoming is not signed, packages require a valid DD/similar
signature to be there.
What I worry about is having a mirror or even the main archive compromised,
because buildd's won't have a chance to possibly stop the attack because
signatures aren't verified.