10 Apr
2009
10 Apr
'09
4:10 p.m.
On Fri, 10 Apr 2009, Pär Andersson wrote:
Karanbir Singh wrote:
Change which part ? signing them or automating something ? The reason debuginfo's are not signed is that bringing them into a securebox for the signing process and pushing them out again easily triples the time factor.
Personally I would rather wait even longer if that meant signed packages. Of course it would not be an ideal solution, but I think the security risk of installing unsigned packages is much worse than the inconvenience of waiting.
It's not obvious to me what the attack vector would be with unsigned debuginfo packages...