[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2010-05-25 23:47:39
Message-ID: 4BFC619B.2010609 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 05/25/2010 10:25 PM, Lubos Lunak wrote:
> On Tuesday 25 of May 2010, Joanna Rutkowska wrote:
>> Hello,
>>
>> Where can I get digital signatures for KDE source code. Say, for the
>> stable tarballs published in the FTP:
>>
>> ftp://ftp.kde.org/pub/kde/stable/
>
> The release info pages (e.g. http://kde.org/info/4.4.3.php) have SHA1 sums.
>
Publishing SHA1 sum on the same server, via plaintext HTTP, doesn't
change anything in terms of security. If somebody was able to subvert
the tarball I'm downloading (e.g. because he or she compromised the
kde.org's FTP server, or one of the routers in between, or doing some
DNS protocol attack, or hacked into my WiFi), this person would also be
able to subvert this SHA1 sum to match the subverted binary.
KDE should be publishing real digital signatures (e.g. using GPG), not
just the hashes.
joanna.
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic