Op ma, 14-03-2005 te 19:15 +0100, schreef Sven Luther:
> so the buildd admin really examine all the packages for deviation that a
> compromised buildd could have incorporated before signing them ? Or that they
> scan the machine for a compromise and always detect them before signing ?
Not really.
As you know, nothing gets uploaded to the archive without it having a
gpg signature by a key in the Debian gpg keyring. That goes for
autobuilt packages, too.
Also, I never sign stuff unless it gets through my filters and into the
right Maildir (and one of the things my filters check is the 'From'
address), so only the correct host will be able to upload.
Apart from that, I regularly log in to my buildd hosts, and check up on
them. If the host were compromised, I'd notice -- just as much as I'd
notice if anyone would compromise my firewall.
--
EARTH
smog | bricks
AIR -- mud -- FIRE
soda water | tequila
WATER
-- with thanks to fortune
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
