On Sun, Dec 03, 2017 at 10:41:17AM +0000, Holger Levsen wrote: > On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote: > > The Debian buildds only do the first verification (due to all Debian > > package uploader keys not being installed) but the Debian archive > > verifies that all uploads match a known developer key before passing > > packages to the buildds. So in practice, both verifications are > > happening, but not in the same place. > in practice, this also has obvious flaws.
Please elaborate. > what's the technical reason > the buildds are not checking the signatures? Unavailability of the keys. Key may have been expired between upload and build attempt. Bastian -- Leave bigotry in your quarters; there's no room for it on the bridge. -- Kirk, "Balance of Terror", stardate 1709.2