[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is packages build without verifying the source package signatures?



On 03/12/2017 12:40, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
>>> in practice, this also has obvious flaws.
>> Please elaborate.
> 
> for a start: one only needs to compromise one machine instead of many...
> 
>>>                                           what's the technical reason
>>> the buildds are not checking the signatures?
>> Unavailability of the keys.  Key may have been expired between upload
>> and build attempt.
> 
> I'm not sure this is an advantage then... or rather: I'd rather see a
> requirement that keys used for signing are valid for at least another
> year after the upload.
> 

While I understand your reasoning, and I agree more checks are better, I
think keeping expired keys around is a bad idea. What if those keys are
compromised ? What about revocation ?


Cheers,

-- 
nodens


Reply to: