[Reproducible-builds] Bug#763822: Moving towards buildinfo on the archive network
Ximin Luo
infinity0 at debian.org
Sun Aug 21 18:33:00 UTC 2016
Ximin Luo:
> Signatures provide a way to for us to aggregate public trust on binaries that
> don't build themselves. So it's important to have multiple and *very direct*
> meanings of what-is-being-signed, to avoid a transitive-trust situation.
>
I sent this in a rush; better version:
Signatures provide a way to for us to aggregate public trust on binaries that
people don't build themselves. So it's important to have multiple and *very
direct* meanings of what-is-being-signed, strongly associated to the signer,
to avoid a transitive-trust situation.
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list