[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Official Debian digital 'branding' of debs

Hi,
>>"Goswin" == Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de> writes:
 Goswin> So deb files wont be signed at all, or signed by the autobuilders.

        How is it handled now? 

 Goswin> Hacking the autobuilders and stealing the key is all you need. The
 Goswin> password for the key will be in the shell enviroment, so thats easy to 
 Goswin> get, once you hacked the comp.

        Having things done by autobuilders is a weak security setuoup
 anyway, unless a human checks and, taking responsibility,
 signs the packages produced.

 Goswin> There would be no security gained from a signed keyring package, not
 Goswin> for deb files anyway.

        Really? All I have to do is ensure that I have the correct
 debian key, and thusd mae sure the keyring is OK too, and then
 check the signature on the package (assuming the data.tar.gz et al in
 the .deb file have detached signatures, possibly embedded in the .deb
 file too).

        manoj

-- 
 It's no surprise that things are so screwed up: everyone that knows
 how to run a government is either driving taxicabs or cutting
 hair. George Burns
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
Reply to: