From kde-devel Tue May 25 23:45:01 2010 From: Joanna Rutkowska Date: Tue, 25 May 2010 23:45:01 +0000 To: kde-devel Subject: Re: digital signatures for kde sources? Message-Id: <4BFC60FD.4000601 () invisiblethingslab ! com> X-MARC-Message: https://marc.info/?l=kde-devel&m=127483094625130 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============1761356304==" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============1761356304== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig36ABEFE9BE687B018585EFB0" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig36ABEFE9BE687B018585EFB0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 05/25/2010 09:01 PM, Andreas Pakulat wrote: > On 25.05.10 15:13:57, Joanna Rutkowska wrote: >> Hello, >> >> Where can I get digital signatures for KDE source code. Say, for the >> stable tarballs published in the FTP: >> >> ftp://ftp.kde.org/pub/kde/stable/ >=20 > What do you mean with digital signatures? KDE doesn't sign its sources > with gpg or something else. >=20 And may I ask why? Digital signatures are an important way of assuring *authenticity* (and nothing else) of the files I download. Without digital signatures I cannot be sure that the e.g. the tarball I'm downloading has not been subverted by somebody in the middle between *me* and the *commiter* (aka vendor). Sure, there the digital signature doesn't ensure any property of the code (e.g. that it is not malicious), but it allows me to trust only the vendors (e.g. KDE commiters). Without digital signatures I also need to trust dozen of other things, such as: 1) that your ftp server has not been compromised (e.g. by a remote attacker, or perhaps by malicious admin) 2) that none of the router between me and kde ftp server has not been compromised (e.g. by a remote attacker, or perhaps by malicious admin) 3) that my local WiFi network's encryption has not been broken by my neighbors 4) that the DNS records I'm getting for kde.org are valid and not manipulated by some clever attack. If KDE published digital signatures for every published tarball, I would be able to trust only KDE commiters and would *not* need to trust all those other things mentioned above. >> or for the stable revisions in the SVN's stable/ branches? >=20 > That doesn't even make any sense at all. >=20 Interesting opinion -- can you elaborate? Many (most?) version control systems allow to sign commits, e.g. git, mercurial, perhaps also SVN. Look at the Linux kernel -- every "release" commit is tagged and signed by Linus -- see e.g. this: http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git;a=3Dta= g;h=3D4ac8e07ee3f251ae32329a24e0b01a316b21ead9 joanna. --------------enig36ABEFE9BE687B018585EFB0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8YP0ACgkQORdkotfEW87d8ACfSlrxWJ8U3AA3jm2DrwsAEers w2UAn3Zg4EVH18Hh8S8DK+j9Fcl7n82b =9Oym -----END PGP SIGNATURE----- --------------enig36ABEFE9BE687B018585EFB0-- --===============1761356304== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe << --===============1761356304==--