[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2010-05-25 23:45:01
Message-ID: 4BFC60FD.4000601 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 05/25/2010 09:01 PM, Andreas Pakulat wrote:
> On 25.05.10 15:13:57, Joanna Rutkowska wrote:
> > Hello,
> >
> > Where can I get digital signatures for KDE source code. Say, for the
> > stable tarballs published in the FTP:
> >
> > ftp://ftp.kde.org/pub/kde/stable/
>
> What do you mean with digital signatures? KDE doesn't sign its sources
> with gpg or something else.
>
And may I ask why? Digital signatures are an important way of assuring
*authenticity* (and nothing else) of the files I download.
Without digital signatures I cannot be sure that the e.g. the tarball
I'm downloading has not been subverted by somebody in the middle between
*me* and the *commiter* (aka vendor).
Sure, there the digital signature doesn't ensure any property of the
code (e.g. that it is not malicious), but it allows me to trust only the
vendors (e.g. KDE commiters). Without digital signatures I also need to
trust dozen of other things, such as:
1) that your ftp server has not been compromised (e.g. by a remote
attacker, or perhaps by malicious admin)
2) that none of the router between me and kde ftp server has not been
compromised (e.g. by a remote attacker, or perhaps by malicious admin)
3) that my local WiFi network's encryption has not been broken by my
neighbors
4) that the DNS records I'm getting for kde.org are valid and not
manipulated by some clever attack.
If KDE published digital signatures for every published tarball, I would
be able to trust only KDE commiters and would *not* need to trust all
those other things mentioned above.
> > or for the stable revisions in the SVN's stable/ branches?
>
> That doesn't even make any sense at all.
>
Interesting opinion -- can you elaborate? Many (most?) version control
systems allow to sign commits, e.g. git, mercurial, perhaps also SVN.
Look at the Linux kernel -- every "release" commit is tagged and signed
by Linus -- see e.g. this:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tag;h=4ac8e07ee3f251ae32329a24e0b01a316b21ead9
joanna.
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic