On 03/12/2017 12:40, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
>>> in practice, this also has obvious flaws.
>> Please elaborate.
>
> for a start: one only needs to compromise one machine instead of many...
>
>>>
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote:
>
> > If I don't mistake the automatic package build system don't require that the
> > source signature is verified correctly.
>
> To clarify what Adam said; there are two times where
On Sun, Dec 03, 2017 at 01:11:50PM +0100, Bastian Blank wrote:
> It would still only need to compromise one machine: The one from where
> the keys are handled and distributed.
I rest my case. I'd secure the front door even if the side door (atm
still) can be compromised easy.
--
cheers,
On Sun, Dec 03, 2017 at 11:40:31AM +, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
> > > in practice, this also has obvious flaws.
> > Please elaborate.
> for a start: one only needs to compromise one machine instead of many...
It would still only need
On Sun, Dec 03, 2017 at 12:05:51PM +0100, Bastian Blank wrote:
> > in practice, this also has obvious flaws.
> Please elaborate.
for a start: one only needs to compromise one machine instead of many...
> > what's the technical reason
> > the buildds are
On Sun, Dec 03, 2017 at 10:41:17AM +, Holger Levsen wrote:
> On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> > The Debian buildds only do the first verification (due to all Debian
> > package uploader keys not being installed) but the Debian archive
> > verifies that all uploads
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> The Debian buildds only do the first verification (due to all Debian
> package uploader keys not being installed) but the Debian archive
> verifies that all uploads match a known developer key before passing
> packages to the buildds. So
On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote:
> If I don't mistake the automatic package build system don't require that the
> source signature is verified correctly.
To clarify what Adam said; there are two times where source package
verification can happen during builds. The first is
On Sat, 2017-12-02 at 12:15 +0100, Davide Prina wrote:
> If I don't mistake the automatic package build system don't require
> that the source signature is verified correctly.
[...]
> So it don't have the public key (?) and so it don't check the
> package signature. But the package is build
If I don't mistake the automatic package build system don't require that
the source signature is verified correctly.
In here:
https://buildd.debian.org/status/fetch.php?pkg=gnome-shell=amd64=3.26.2-1=1509919343=0
I have found this:
Unpack source
-
gpgv: unknown type of key
10 matches
Mail list logo