Re: Is packages build without verifying the source package signatures?

On 03/12/2017 12:40, Holger Levsen wrote: > On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote: >>> in practice, this also has obvious flaws. >> Please elaborate. > > for a start: one only needs to compromise one machine instead of many... > >>>

Re: Is packages build without verifying the source package signatures?

On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote: > On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote: > > > If I don't mistake the automatic package build system don't require that the > > source signature is verified correctly. > > To clarify what Adam said; there are two times where

Re: Is packages build without verifying the source package signatures?

On Sun, Dec 03, 2017 at 01:11:50PM +0100, Bastian Blank wrote: > It would still only need to compromise one machine: The one from where > the keys are handled and distributed. I rest my case. I'd secure the front door even if the side door (atm still) can be compromised easy. -- cheers,

Re: Is packages build without verifying the source package signatures?

On Sun, Dec 03, 2017 at 11:40:31AM +, Holger Levsen wrote: > On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote: > > > in practice, this also has obvious flaws. > > Please elaborate. > for a start: one only needs to compromise one machine instead of many... It would still only need

Re: Is packages build without verifying the source package signatures?

On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote: > > in practice, this also has obvious flaws. > Please elaborate. for a start: one only needs to compromise one machine instead of many... > > what's the technical reason > > the buildds are

Re: Is packages build without verifying the source package signatures?

On Sun, Dec 03, 2017 at 10:41:17AM +, Holger Levsen wrote: > On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote: > > The Debian buildds only do the first verification (due to all Debian > > package uploader keys not being installed) but the Debian archive > > verifies that all uploads

Re: Is packages build without verifying the source package signatures?

On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote: > The Debian buildds only do the first verification (due to all Debian > package uploader keys not being installed) but the Debian archive > verifies that all uploads match a known developer key before passing > packages to the buildds. So

Re: Is packages build without verifying the source package signatures?

On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote: > If I don't mistake the automatic package build system don't require that the > source signature is verified correctly. To clarify what Adam said; there are two times where source package verification can happen during builds. The first is

Re: Is packages build without verifying the source package signatures?

On Sat, 2017-12-02 at 12:15 +0100, Davide Prina wrote: > If I don't mistake the automatic package build system don't require > that the source signature is verified correctly. [...] > So it don't have the public key (?) and so it don't check the > package  signature. But the package is build

Is packages build without verifying the source package signatures?

If I don't mistake the automatic package build system don't require that the source signature is verified correctly. In here: https://buildd.debian.org/status/fetch.php?pkg=gnome-shell=amd64=3.26.2-1=1509919343=0 I have found this: Unpack source - gpgv: unknown type of key