On 25.06.24 00:52, HW42 wrote:
Is this really common practice that Debian uploaders sign (source) packages they built on less-trusted systems?
Data point: my main build system is a 24-core VM in our data center.I'm not going to upload my private key to a data center … and people whose key is on some hardware card or stick can't upload their key at all.
Thus it's not necessarily a problem of "less trust", "I'm not physically where the hardware is" (and don't allow tunneled access to my hardware key to anywhere, as a matter of security principle) is sufficient.
-- -- regards -- -- Matthias Urlichs
OpenPGP_signature.asc
Description: OpenPGP digital signature
