Re: Crypto signing of packages

To: Debian developers list <debian-devel@lists.debian.org>
Subject: Re: Crypto signing of packages
From: Ian Jackson <ian@chiark.greenend.org.uk>
Date: Tue, 18 Feb 97 05:22 GMT
Message-id: <[🔎] m0vwi15-0004NyC@chiark.greenend.org.uk>

Bruce:
> I'd be OK with accepting PGP-signed communication from a maintainer
> regarding security matters, once that maintainer had been through
> our certification procedure. Of course this relies on maintainers
> not getting their keys compromised.

I'm afraid that this is not a realistic requirement.  Maintainers keys
_will_ be compromised.

We have either to live with the situation where anyone who can
compromise any maintainer's key can get trojan code into our
distribution, or we have to come up with a way of detecting and
dealing with maintainer key compromise.

There are tradeoffs here.

Ian.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: Crypto signing of packages
  - From: Richard Jones <richard@a42.deep-thought.org>
- Re: Crypto signing of packages
  - From: "Orn E. Hansen" <oe.hansen@halmstad.mail.telia.com>

Prev by Date: Upcoming Debian Releases
Next by Date: Bug#2481: Posting rejected - please read and agree to mailing list rules.
Previous by thread: Re: Crypto signing of packages
Next by thread: Re: Crypto signing of packages
Index(es):
- Date
- Thread