[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: digital signatures for kde sources?
From:       Michael Pyne <mpyne () kde ! org>
Date:       2010-05-26 0:11:46
Message-ID: 201005252011.52588.mpyne () kde ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Tuesday, May 25, 2010 19:45:01 Joanna Rutkowska wrote:
> >> or for the stable revisions in the SVN's stable/ branches?
> > 
> > That doesn't even make any sense at all.
> 
> Interesting opinion -- can you elaborate? Many (most?) version control
> systems allow to sign commits, e.g. git, mercurial, perhaps also SVN.
> 
> Look at the Linux kernel -- every "release" commit is tagged and signed
> by Linus -- see e.g. this:

No, it's not an opinion, he's giving a technical fact regarding the source 
control system we currently use, Subversion. AFAIK git was actually the first 
popular source control system to allow cryptographic-strength code signing so 
it's still a relatively new feature. git gets it almost for free just based on 
the way Linus Torvalds designed the filesystem.

I'm not going to say that it *can't* be done efficiently in Subversion, but 
I'm pretty sure it would be very difficult and as it stands Subversion doesn't 
support code signing.

It would be possible to sign tagged branches or what not by doing svn export 
and signing the tarball but as you've already noted we don't go that far.

Regards,
 - Michael Pyne

["signature.asc" (application/pgp-signature)]

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<


[prev in list] [next in list] [prev in thread] [next in thread]