[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is packages build without verifying the source package signatures?

On Sun, Dec 03, 2017 at 10:41:17AM +0000, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> > The Debian buildds only do the first verification (due to all Debian
> > package uploader keys not being installed) but the Debian archive
> > verifies that all uploads match a known developer key before passing
> > packages to the buildds. So in practice, both verifications are
> > happening, but not in the same place.
> in practice, this also has obvious flaws.

Please elaborate.

>                                           what's the technical reason
> the buildds are not checking the signatures?

Unavailability of the keys.  Key may have been expired between upload
and build attempt.

Bastian

-- 
Leave bigotry in your quarters; there's no room for it on the bridge.
		-- Kirk, "Balance of Terror", stardate 1709.2
Reply to: