[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: buildds: "Authentication warning overridden."

* Michael Banck:

> Assuming that compromised mirrors get quickly identified by people using
> signatures, and buildd packages having to be uploaded directly, the
> amount of compromised packages this way is probably small, so they can
> be rebuilt using packages from another mirror, after the build logs have
> been inspected to see whether compromised packages have indeed been
> used.

I think it's possible to detect on the mirror side if the downloader is
going to verify any signatures. So it's possible to avoid the kind of
detection we get for free.

Reply to: