On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote: > The Debian buildds only do the first verification (due to all Debian > package uploader keys not being installed) but the Debian archive > verifies that all uploads match a known developer key before passing > packages to the buildds. So in practice, both verifications are > happening, but not in the same place. in practice, this also has obvious flaws. what's the technical reason the buildds are not checking the signatures? -- cheers, Holger
Attachment:
signature.asc
Description: PGP signature