[CentOS-devel] why provide debuginfo

Fri Apr 10 16:10:41 UTC 2009
Charlie Brady <charlieb-centos-devel at budge.apana.org.au>

On Fri, 10 Apr 2009, Pär Andersson wrote:

> Karanbir Singh wrote:
>> Change which part ? signing them or automating something ? The reason
>> debuginfo's are not signed is that bringing them into a securebox for
>> the signing process and pushing them out again easily triples the time
>> factor.
>
> Personally I would rather wait even longer if that meant signed
> packages. Of course it would not be an ideal solution, but I think the
> security risk of installing unsigned packages is much worse than the
> inconvenience of waiting.

It's not obvious to me what the attack vector would be with unsigned 
debuginfo packages...