On Fri, 10 Apr 2009, Pär Andersson wrote: > Karanbir Singh wrote: >> Change which part ? signing them or automating something ? The reason >> debuginfo's are not signed is that bringing them into a securebox for >> the signing process and pushing them out again easily triples the time >> factor. > > Personally I would rather wait even longer if that meant signed > packages. Of course it would not be an ideal solution, but I think the > security risk of installing unsigned packages is much worse than the > inconvenience of waiting. It's not obvious to me what the attack vector would be with unsigned debuginfo packages...