On Sat, 21 Jan 2017 14:01:20 +0100, Santiago Vila wrote: > I wonder if we can really assume that an autobuilder will always have > enough "entropy", like we do for memory.
Yup, that's a good question ... > Apparently we implicitly assume such thing, but I still think we should not. > For example: Does this package really need to generate a key at build > time? It may not be pregenerated and used during the build, like other > packages do? (mini-buildd comes to mind). The package has support for various gpg operations, and tests them. This involves key generation, and signing/verifying, encrypting/decrypting. When I looked at this issue after you filed the bug, I tried to just disable the key generation test, which is easy but not helpful because some other tests then fail because of the missing key. So yeah, maybe a pre-generated key would be a compromise ... Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Bob Dylan: Drifter's Escape
signature.asc
Description: Digital Signature
