Re: buildds: "Authentication warning overridden."

To: atomo64+debian@gmail.com
Cc: debian-devel@lists.debian.org
Subject: Re: buildds: "Authentication warning overridden."
From: Steve McIntyre <steve@einval.com>
Date: Sat, 10 Nov 2007 01:16:39 +0000
Message-id: <[🔎] E1Iqexj-0001cO-0A@jack.mossbank.org.uk>
In-reply-to: <[🔎] fh2vdq$77g$1@ger.gmane.org>

Raphael Geissert wrote:
>Hi all,
>
>It's not uncommon to see buildds (actually build tools) override the
>package/Release signature warning.
>So I was wondering, what is the point of having such a signatures
>verification system if the build systems do not care about them?
>
>I know the main target is to prevent end users from downloading
>compromised/not-legitimate packages. But, I'm thinking about a possible
>package compromise and buildd's using such affected packages and leaving
>the possibility to have the built packages also compromised.
>
>Wouldn't it be better to have the buildd's verify the Release signature
>rather than just overriding the warning?

That's all well and good, but the buildds also depend on using
packages from (for example) incoming, which it is not feasible to
sign.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I can't ever sleep on planes ... call it irrational if you like, but I'm
 afraid I'll miss my stop" -- Vivek Dasmohapatra

Reply to:

Follow-Ups:
- Re: buildds: "Authentication warning overridden."
  - From: Raphael Geissert <atomo64+debian@gmail.com>

References:
- buildds: "Authentication warning overridden."
  - From: Raphael Geissert <atomo64+debian@gmail.com>

Prev by Date: buildds: "Authentication warning overridden."
Next by Date: Re: buildds: "Authentication warning overridden."
Previous by thread: buildds: "Authentication warning overridden."
Next by thread: Re: buildds: "Authentication warning overridden."
Index(es):
- Date
- Thread