Hi all, It's not uncommon to see buildds (actually build tools) override the package/Release signature warning. So I was wondering, what is the point of having such a signatures verification system if the build systems do not care about them?
I know the main target is to prevent end users from downloading compromised/not-legitimate packages. But, I'm thinking about a possible package compromise and buildd's using such affected packages and leaving the possibility to have the built packages also compromised. Wouldn't it be better to have the buildd's verify the Release signature rather than just overriding the warning? Cheers, Raphael Geissert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
