Re: buildds: "Authentication warning overridden."
[I read the list, no need to reply To me, thanks]
Steve McIntyre wrote:
>
> That's all well and good, but the buildds also depend on using
> packages from (for example) incoming, which it is not feasible to
> sign.
>
Even tough incoming is not signed, packages require a valid DD/similar
signature to be there.
What I worry about is having a mirror or even the main archive compromised,
because buildd's won't have a chance to possibly stop the attack because
signatures aren't verified.
Regards,
Raphael
Reply to: