Re: Is packages build without verifying the source package signatures?

To: debian-security@lists.debian.org
Subject: Re: Is packages build without verifying the source package signatures?
From: Bastian Blank <waldi@debian.org>
Date: Sun, 3 Dec 2017 13:11:50 +0100
Message-id: <[🔎] 20171203121149.d5752446ghp5kqyv@shell.thinkmo.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20171203114031.vcnuyimlrsx26mce@layer-acht.org>
References: <[🔎] f90f8dba-010b-400a-d786-4d41509dca9f@gmail.com> <[🔎] CAKTje6GTSee3qqd_Dtmsn2UUGiQp4iWWAsgwjMcCrYQrp2MRnw@mail.gmail.com> <[🔎] 20171203104117.hhpj7ilbxai7657s@layer-acht.org> <[🔎] 20171203110550.l4rszjut2m3u2uap@shell.thinkmo.de> <[🔎] 20171203114031.vcnuyimlrsx26mce@layer-acht.org>

On Sun, Dec 03, 2017 at 11:40:31AM +0000, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
> > > in practice, this also has obvious flaws.
> > Please elaborate.
> for a start: one only needs to compromise one machine instead of many...

It would still only need to compromise one machine: The one from where
the keys are handled and distributed.

> > >                                           what's the technical reason
> > > the buildds are not checking the signatures?
> > Unavailability of the keys.  Key may have been expired between upload
> > and build attempt.
> I'm not sure this is an advantage then... or rather: I'd rather see a
> requirement that keys used for signing are valid for at least another
> year after the upload.

Does not help.  Also people prefer not to have keys lying around that
are valid for this much time.

Bastian

-- 
Love sometimes expresses itself in sacrifice.
		-- Kirk, "Metamorphosis", stardate 3220.3

Reply to:

Follow-Ups:
- Re: Is packages build without verifying the source package signatures?
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Is packages build without verifying the source package signatures?
  - From: Davide Prina <davide.prina@gmail.com>
- Re: Is packages build without verifying the source package signatures?
  - From: Paul Wise <pabs@debian.org>
- Re: Is packages build without verifying the source package signatures?
  - From: Holger Levsen <holger@layer-acht.org>
- Re: Is packages build without verifying the source package signatures?
  - From: Bastian Blank <waldi@debian.org>
- Re: Is packages build without verifying the source package signatures?
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: Is packages build without verifying the source package signatures?
Next by Date: Re: Is packages build without verifying the source package signatures?
Previous by thread: Re: Is packages build without verifying the source package signatures?
Next by thread: Re: Is packages build without verifying the source package signatures?
Index(es):
- Date
- Thread