On Sun, 16 Jun 2024 at 19:00, Scott Kitterman <deb...@kitterman.com> wrote:
> I can see that, but that leads to what I view as a problem. The thing in the
> archive is signed by a machine, not the human who decided it should be
> uploaded.
That is nothing new or particularly controversial for Debian Archive.
Nowadays, most uploads are source-only, so all binary packages are
built by buildd servers and thus are signed by a machine.
Even before that, the key index files like Release and Packages in the
archive have always been generated and signed by a machine.
Those are things that actual end-users use and that can directly
compromise millions of machines in a few hours. Pretty
important stuff IMHO.
Compared to that, a machine signing a Debian-specific intermediate
source package artifact (that normally is only
used by Debian buildd servers) sounds quite inconsequential.
The key is that a human initiated the chain of events and signatures
with an authenticated signature. Where that happens does not
really matter all that much and has changed in the past in Debian already.
--
Best regards,
Aigars Mahinovs mailto:aigar...@debian.org
#--------------------------------------------------------------#
| .''`. Debian GNU/Linux (http://www.debian.org) |
| : :' : Latvian Open Source Assoc. (http://www.laka.lv) |
| `. `' Linux Administration and Free Software Consulting |
| `- (http://www.aiteki.com) |
#--------------------------------------------------------------#
