Quoting Salvo Tomaselli (2024-06-26 09:25:37) > > > > Building a source package is a lot more opaque and gives the attacker a > > lot more room to hide. Adding malicious code to tar to inject something > > into source packages is a lot quieter > > How many packages have a pubkey for the orig file? > > Perhaps we should encourage upstreams to sign more?
What I have learned from all this, is that we should not encourage to sign more, but encourage to cautiously sign more. Both ourselves and our upstreams. My point being that signatures have little value if automated or done manually without related examination. I am sure that's also what you meant, Salvo, I just find it quite relevant to be explicit that it is the care that need a boost, not the amount of signatures. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
