[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2010-05-26 0:23:25
Message-ID: 4BFC69FD.7010901 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 05/26/2010 02:11 AM, Michael Pyne wrote:
> On Tuesday, May 25, 2010 19:45:01 Joanna Rutkowska wrote:
>>>> or for the stable revisions in the SVN's stable/ branches?
>>>
>>> That doesn't even make any sense at all.
>>
>> Interesting opinion -- can you elaborate? Many (most?) version control
>> systems allow to sign commits, e.g. git, mercurial, perhaps also SVN.
>>
>> Look at the Linux kernel -- every "release" commit is tagged and signed
>> by Linus -- see e.g. this:
>
> No, it's not an opinion, he's giving a technical fact regarding the source
> control system we currently use, Subversion. AFAIK git was actually the first
> popular source control system to allow cryptographic-strength code signing so
> it's still a relatively new feature. git gets it almost for free just based on
> the way Linus Torvalds designed the filesystem.
>
> I'm not going to say that it *can't* be done efficiently in Subversion, but
> I'm pretty sure it would be very difficult and as it stands Subversion doesn't
> support code signing.
>
> It would be possible to sign tagged branches or what not by doing svn export
> and signing the tarball but as you've already noted we don't go that far.
>
If you could sign the tarballs you publish, it would be just enough. Why
are you saying that you don't plan to do that?
I'm currently in the process of packaging KDE for our Qubes OS, and I
*really* would welcome a reliable way to verify that packages I download
from kde.org are indeed what kde.org commiters have published, before I
package them and distribute as part of my system...
Security of any system should be build on strong foundations --
otherwise it all doesn't make any sense.
joanna.
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic