Em 04-02-2014 17:37, Daniel Cegiełka escreveu: > I agree with the fact that we have no solution to this problem, and > probably will not find it quickly (or ever). I do not want to shout > that now we have to do something. I want to make people aware that > even with signify still need to keep limited trust. > > best, > Daniel You do not need to do this. The people who cares about this, know that there is no solution. And do not delude yourself thinking that there will ever be one. There are many attacks that even with signed packages, base, whatever, are possible and can be way more damaging. The evil developer attack, Trusting trust issues, etc. There are lots of vectors an operational system can be entirely compromised, before it's even installed on your machine. And since it's an OS, there can't even be deterministic builds, perhaps just of some binaries in base, for some platforms, never of the kernel itself.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
