On 03/12/2017 12:40, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
>>> in practice, this also has obvious flaws.
>> Please elaborate.
>
> for a start: one only needs to compromise one machine instead of many...
>
>>>
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote:
>
> > If I don't mistake the automatic package build system don't require that the
> > source signature is verified correctly.
>
> To clarify what Adam said; there are two times where
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian Security Advisory DSA-4054-1 secur...@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 03, 2017
On Sun, Dec 03, 2017 at 01:11:50PM +0100, Bastian Blank wrote:
> It would still only need to compromise one machine: The one from where
> the keys are handled and distributed.
I rest my case. I'd secure the front door even if the side door (atm
still) can be compromised easy.
--
cheers,
On Sun, Dec 03, 2017 at 11:40:31AM +, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
> > > in practice, this also has obvious flaws.
> > Please elaborate.
> for a start: one only needs to compromise one machine instead of many...
It would still only need
On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
> > in practice, this also has obvious flaws.
> Please elaborate.
for a start: one only needs to compromise one machine instead of many...
> > what's the technical reason
> > the buildds are
On Sun, Dec 03, 2017 at 10:41:17AM +, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> > The Debian buildds only do the first verification (due to all Debian
> > package uploader keys not being installed) but the Debian archive
> > verifies that all uploads
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> The Debian buildds only do the first verification (due to all Debian
> package uploader keys not being installed) but the Debian archive
> verifies that all uploads match a known developer key before passing
> packages to the buildds. So
8 matches
Mail list logo