Re: Is packages build without verifying the source package signatures?

To: debian-security@lists.debian.org
Subject: Re: Is packages build without verifying the source package signatures?
From: Holger Levsen <holger@layer-acht.org>
Date: Sun, 3 Dec 2017 10:41:17 +0000
Message-id: <[🔎] 20171203104117.hhpj7ilbxai7657s@layer-acht.org>
In-reply-to: <[🔎] CAKTje6GTSee3qqd_Dtmsn2UUGiQp4iWWAsgwjMcCrYQrp2MRnw@mail.gmail.com>
References: <[🔎] f90f8dba-010b-400a-d786-4d41509dca9f@gmail.com> <[🔎] CAKTje6GTSee3qqd_Dtmsn2UUGiQp4iWWAsgwjMcCrYQrp2MRnw@mail.gmail.com>

On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> The Debian buildds only do the first verification (due to all Debian
> package uploader keys not being installed) but the Debian archive
> verifies that all uploads match a known developer key before passing
> packages to the buildds. So in practice, both verifications are
> happening, but not in the same place.
 
in practice, this also has obvious flaws. what's the technical reason
the buildds are not checking the signatures?


-- 
cheers,
	Holger

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Is packages build without verifying the source package signatures?
  - From: Bastian Blank <waldi@debian.org>

References:
- Is packages build without verifying the source package signatures?
  - From: Davide Prina <davide.prina@gmail.com>
- Re: Is packages build without verifying the source package signatures?
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Is packages build without verifying the source package signatures?
Next by Date: Re: Is packages build without verifying the source package signatures?
Previous by thread: Re: Is packages build without verifying the source package signatures?
Next by thread: Re: Is packages build without verifying the source package signatures?
Index(es):
- Date
- Thread