← Back to context

Comment by e12e

7 years ago

> This is particularly so when someone may be able to compromise the software publisher's infrastructure

Indeed. While this particular venue wouldn't have worked for:

https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident...

(a compromise of github itself would be needed) - it's easy to imagine one of the many mirrors of Debian to suffer from compromise. But as they just push signed debs, the damage would be limited (not trivial, there could conceivably be bugs in apt/dpkg/gnupg etc).

0 comments

e12e

Reply