> On Sat, Aug 20, 2016 at 03:13:00PM +0000, Ximin Luo wrote:
>> Note that the builder is a *distinct entity* from the distribution.
>> It's important to keep the *original* signature by B on C. It breaks
>> our security logic, to strip the signature and re-sign C using (e.g.)
>> the Debian archive release keys - because the entity in charge of this
>> release key is not the one that actually performed the build. Doing
>> this, would allow malicious builders to re-attribute their misdeeds to
>> look like it's the fault of Debian.
> Debian already does this in the context of the fact that Package files
> etc are signed by the archive key. It's possible to go and grab the .dsc
> file to see who did the file build, but day-to-day no one is using these
> to verify the binaries they receive. I care more that Debian stands
> behind the packages I download than being able to verify individually
> who build each of the packages I'm running - there's no meaningful way I
> can attribute trust to *all* of the people who packaged something I have
You have this backwards.
"Being able to verify individually who build each of the packages I'm running"
is *exactly* what is required to *not* have to
"attribute trust of *all* of the people who packaged something I have
and that is one major (probably the main) goal of R-B.
Now that I point this out - do you agree, and does it change your mind on
anything you previously said?
Reproducible-builds mailing list