[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is packages build without verifying the source package signatures?



On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> The Debian buildds only do the first verification (due to all Debian
> package uploader keys not being installed) but the Debian archive
> verifies that all uploads match a known developer key before passing
> packages to the buildds. So in practice, both verifications are
> happening, but not in the same place.
 
in practice, this also has obvious flaws. what's the technical reason
the buildds are not checking the signatures?


-- 
cheers,
	Holger

Attachment: signature.asc
Description: PGP signature


Reply to: