Jonathan McDowell: > On Sat, Aug 20, 2016 at 03:13:00PM +0000, Ximin Luo wrote: >> Note that the builder is a *distinct entity* from the distribution. >> It's important to keep the *original* signature by B on C. It breaks >> our security logic, to strip the signature and re-sign C using (e.g.) >> the Debian archive release keys - because the entity in charge of this >> release key is not the one that actually performed the build. Doing >> this, would allow malicious builders to re-attribute their misdeeds to >> look like it's the fault of Debian. > > Debian already does this in the context of the fact that Package files > etc are signed by the archive key. It's possible to go and grab the .dsc > file to see who did the file build, but day-to-day no one is using these > to verify the binaries they receive. I care more that Debian stands > behind the packages I download than being able to verify individually > who build each of the packages I'm running - there's no meaningful way I > can attribute trust to *all* of the people who packaged something I have > installed. >
You have this backwards. "Being able to verify individually who build each of the packages I'm running" is *exactly* what is required to *not* have to "attribute trust of *all* of the people who packaged something I have installed." and that is one major (probably the main) goal of R-B. Now that I point this out - do you agree, and does it change your mind on anything you previously said? X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
