On 2014-02-15 15:34, Henrique de Moraes Holschuh wrote:
On Sat, 15 Feb 2014, Philipp Kern wrote:
That's why I was careful to publish the address nowhere. We do some
Unfortunately, that cat is out of the bag, now. Whether it will get
spammed
or attacked, I don't know.
However, it is not like we ever could trust the logs anyway for any
security
purposes, as they are not signed by the same key that signed the
respective
changes file for the upload. Currently, they're useful for debug
purposes,
and that's it (which is fine).
Yeah, they could be, if sbuild is extended to sign the logs. That said,
we do trust our mail-in. We can trust the received headers to some
degree (for timestamps and where the mail came from), but we cannot rule
out on-disk tampering.
Kind regards
Philipp Kern
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/43b8290b3d8f1f2f37b01636e9337...@hub.kern.lc
