Re: Is packages build without verifying the source package signatures?
On Sun, Dec 03, 2017 at 10:41:17AM +0000, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> > The Debian buildds only do the first verification (due to all Debian
> > package uploader keys not being installed) but the Debian archive
> > verifies that all uploads match a known developer key before passing
> > packages to the buildds. So in practice, both verifications are
> > happening, but not in the same place.
> in practice, this also has obvious flaws.
Please elaborate.
> what's the technical reason
> the buildds are not checking the signatures?
Unavailability of the keys. Key may have been expired between upload
and build attempt.
Bastian
--
Leave bigotry in your quarters; there's no room for it on the bridge.
-- Kirk, "Balance of Terror", stardate 1709.2
Reply to: