On 2011-09-02, Henrique de Moraes Holschuh <h...@debian.org> wrote: > On Fri, 02 Sep 2011, Bastian Blank wrote: >> On Thu, Sep 01, 2011 at 06:05:01PM -0300, Henrique de Moraes Holschuh wrote: >> > Our kernels are not a problem. The Debian mirror in mirrors.kernel.org, >> > on the other hand... While the apt signature will protect users >> > downloading packages through the package manager, users that get binary >> > packages directly are not protected. >> The connection is not authenticated, so it makes no difference if you >> get modified stuff or if it is modified in transit. > Yeah, yeah. We've beaten that horse to death, and our side lost. I also > advocate that all debs should be signed, but that was not the will of the > ftp-masters the last time the issue was up for discussion.
And we should get the archive signing key into a HSM. Kind regards Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnj61olv.nu6.tr...@kelgar.0x539.de
