Matt Zimmerman <[EMAIL PROTECTED]> writes:
> On Mon, Nov 17, 2003 at 03:56:44PM +0100, Goswin von Brederlow wrote:
>
> > DDs have to sign and upload a package with a backdoor.
> >
> > On the buildd I can install a gcc or other tool that will silently add
> > a backdoor to anything getting compiled and the buildd admin will sign
> > and upload the package for me.
> >
> > Much more anonymous.
>
> The whole point of signing packages is that it is not anonymous at all, but
> traceable back to the signer. Assuming the keyholder protects his key
> adequately, there is reasonable assurance that the keyholder and the signer
> are the same person.
Exactly my point.
As a non DD running a buildd I have much more and anonymous access to
packages being build. I and some others are aparently trustworthy
enough by their DD friends but not by the DAM.
MfG
Goswin
