On Wed, Dec 03, 2003 at 03:17:20AM +0100, Goswin von Brederlow wrote: > What the admins signature can gives us is a trusted timestamp and > another pair of eyes reading the changes files.
Well, a trusted timestamp can be added/required by a third party. No need to bother a build admin with signing of packages he cannot verify. Just make a small web service which is receiving an <packagename,version,hash> string and answer with a signed timestamp. There are even services like that out there on the net. > Don't get me wrong, I'm all for an gpg key on the buildd to sign every > deb. Not as replacement to at least one person glancing over the > result but as an extra measure. How often has this person glance over the results? As I understand debian build daemons run unattended and build continously. Correct me when I am wrong here. But if I asume righ, I dont want to lose that processing speed, especially since it can be easyly compensated with "3rd party" timestamps. Greetings bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD [EMAIL PROTECTED] +497257930613 BE5-RIPE (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!