Re: Official Debian digital 'branding' of debs
Hi,
>>"Goswin" == Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de> writes:
Goswin> So deb files wont be signed at all, or signed by the autobuilders.
How is it handled now?
Goswin> Hacking the autobuilders and stealing the key is all you need. The
Goswin> password for the key will be in the shell enviroment, so thats easy to
Goswin> get, once you hacked the comp.
Having things done by autobuilders is a weak security setuoup
anyway, unless a human checks and, taking responsibility,
signs the packages produced.
Goswin> There would be no security gained from a signed keyring package, not
Goswin> for deb files anyway.
Really? All I have to do is ensure that I have the correct
debian key, and thusd mae sure the keyring is OK too, and then
check the signature on the package (assuming the data.tar.gz et al in
the .deb file have detached signatures, possibly embedded in the .deb
file too).
manoj
--
It's no surprise that things are so screwed up: everyone that knows
how to run a government is either driving taxicabs or cutting
hair. George Burns
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: