[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: KNewStuff and GPG question
From: Andras Mantia <amantia () kde ! org>
Date: 2010-07-23 7:54:02
Message-ID: 201007231054.09760.amantia () kde ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hi,
On Friday 23 July 2010, Frederik Gladhorn wrote:
> Hi Andras,
> I am all for it, don't get me wrong. It's great to hear that you have
> experience with this. How did you handle the signatures? Was there a
> sort of keyring?
It was done in the same way as it is for mails. After all it is similar.
Anybody (well, any uploader) can sign the packages. This doesn't give
protection by itself. But the downloader gets an information about who
signed the package. If the signature is trusted (ie, he met the uploader
in person or verified in another way that the signature indeed belongs to
a person who is trusted), there is nothing he has to do. If the
signature is not trusted, he gets a warning (with the signature
information) and installation of the stuff happens only if the downloader
explicitely accepts it.
> to the way gpg and emails work. But then it only works for users
> that go to keysigning parties, doesn't it?
This depends on the downloader standards. I might not met in person a
certain developer/uploader, but might still trust him based on his past
experience. Like Quanta users would probably trust packages uploaded by
Quanta developers.
AFAIK the only issue with the old implementation was that it used the
gpg executable instead of the gpgme++ library, because the latter was
GPL, not LGPL. As I see they are now LGPL and in kdepimlibs, so a
solution would be to use it.
Andras
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic