Re: Official Debian digital 'branding' of debs
> Nicolás> But there IS a single point of failure. All solutions you
> Nicolás> can image will have that. If you have developers sign
> Nicolás> packages with their own keys, you'll need a mean to
> Nicolás> `authorize' developers, in the form of a Debian signature to
> Nicolás> the developers' signature.
> Not true. The presence of the developers keys in the
> debian-keyring package should be enough, as long as you have a secure
> keyring.
Uh? What's that? Since when one should be careful about which keys allows
in his key ring? The security check you propose requires a specific
knowledge that users won't probably have.
Besides I'd like to have a test that could be carried out automatically...
We should have a main key, and design fast channels to announce if the key
is compromised... Online packaging tools could check for this key status
also....
> Having a detatched signature on the keyring made by the
> master key is your security.
I didn't unserstand this sentence...
Reply to: