On Mon, Nov 17, 2003 at 03:56:44PM +0100, Goswin von Brederlow wrote: > DDs have to sign and upload a package with a backdoor. > > On the buildd I can install a gcc or other tool that will silently add > a backdoor to anything getting compiled and the buildd admin will sign > and upload the package for me. > > Much more anonymous.
The whole point of signing packages is that it is not anonymous at all, but traceable back to the signer. Assuming the keyholder protects his key adequately, there is reasonable assurance that the keyholder and the signer are the same person. -- - mdz
