On 03/12/2017 12:40, Holger Levsen wrote: > On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote: >>> in practice, this also has obvious flaws. >> Please elaborate. > > for a start: one only needs to compromise one machine instead of many... > >>> what's the technical reason >>> the buildds are not checking the signatures? >> Unavailability of the keys. Key may have been expired between upload >> and build attempt. > > I'm not sure this is an advantage then... or rather: I'd rather see a > requirement that keys used for signing are valid for at least another > year after the upload. >
While I understand your reasoning, and I agree more checks are better, I think keeping expired keys around is a bad idea. What if those keys are compromised ? What about revocation ? Cheers, -- nodens
