This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============1760904731==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig5B2A079E9F6059AC777E2220"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5B2A079E9F6059AC777E2220
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 05/26/2010 02:11 AM, Michael Pyne wrote:
> On Tuesday, May 25, 2010 19:45:01 Joanna Rutkowska wrote:
>>>> or for the stable revisions in the SVN's stable/ branches?
>>>
>>> That doesn't even make any sense at all.
>>
>> Interesting opinion -- can you elaborate? Many (most?) version control=

>> systems allow to sign commits, e.g. git, mercurial, perhaps also SVN.
>>
>> Look at the Linux kernel -- every "release" commit is tagged and signe=
d
>> by Linus -- see e.g. this:
>=20
> No, it's not an opinion, he's giving a technical fact regarding the sou=
rce=20
> control system we currently use, Subversion. AFAIK git was actually the=
 first=20
> popular source control system to allow cryptographic-strength code sign=
ing so=20
> it's still a relatively new feature. git gets it almost for free just b=
ased on=20
> the way Linus Torvalds designed the filesystem.
>=20
> I'm not going to say that it *can't* be done efficiently in Subversion,=
 but=20
> I'm pretty sure it would be very difficult and as it stands Subversion =
doesn't=20
> support code signing.
>=20
> It would be possible to sign tagged branches or what not by doing svn e=
xport=20
> and signing the tarball but as you've already noted we don't go that fa=
r.
>=20

If you could sign the tarballs you publish, it would be just enough. Why
are you saying that you don't plan to do that?

I'm currently in the process of packaging KDE for our Qubes OS, and I
*really* would welcome a reliable way to verify that packages I download
from kde.org are indeed what kde.org commiters have published, before I
package them and distribute as part of my system...

Security of any system should be build on strong foundations --
otherwise it all doesn't make any sense.

joanna.


--------------enig5B2A079E9F6059AC777E2220
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv8af0ACgkQORdkotfEW84tiACfR1/aN+/14xqSFWyzZLZcZonS
9TgAoPYmO5BYCflT+gZNMwUkMylnjUbb
=Ubfg
-----END PGP SIGNATURE-----

--------------enig5B2A079E9F6059AC777E2220--

--===============1760904731==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

--===============1760904731==--