On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote: > If I don't mistake the automatic package build system don't require that the > source signature is verified correctly.
To clarify what Adam said; there are two times where source package verification can happen during builds. The first is during "Download source files with APT", which verifies hashes of the source files against the hashes known for those files by apt, the keys for this stage are the archive keys. The second is during "Unpack source", which runs dpkg-source to extract the source package and (if all Debian package uploader keys are installed) verifies the signature of the source package matches a known developer key. The Debian buildds only do the first verification (due to all Debian package uploader keys not being installed) but the Debian archive verifies that all uploads match a known developer key before passing packages to the buildds. So in practice, both verifications are happening, but not in the same place. -- bye, pabs https://wiki.debian.org/PaulWise
