[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Michael Pyne <mpyne () kde ! org>
Date: 2010-05-26 0:31:13
Message-ID: 201005252031.14010.mpyne () kde ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Tuesday, May 25, 2010 20:23:25 Joanna Rutkowska wrote:
> On 05/26/2010 02:11 AM, Michael Pyne wrote:
> > On Tuesday, May 25, 2010 19:45:01 Joanna Rutkowska wrote:
> >>>> or for the stable revisions in the SVN's stable/ branches?
> >>>
> >>> That doesn't even make any sense at all.
> >>
> >> Interesting opinion -- can you elaborate? Many (most?) version control
> >> systems allow to sign commits, e.g. git, mercurial, perhaps also SVN.
> >>
> >> Look at the Linux kernel -- every "release" commit is tagged and signed
> >
> >> by Linus -- see e.g. this:
> > No, it's not an opinion, he's giving a technical fact regarding the
> > source control system we currently use, Subversion. AFAIK git was
> > actually the first popular source control system to allow
> > cryptographic-strength code signing so it's still a relatively new
> > feature. git gets it almost for free just based on the way Linus
> > Torvalds designed the filesystem.
> >
> > I'm not going to say that it *can't* be done efficiently in Subversion,
> > but I'm pretty sure it would be very difficult and as it stands
> > Subversion doesn't support code signing.
> >
> > It would be possible to sign tagged branches or what not by doing svn
> > export and signing the tarball but as you've already noted we don't go
> > that far.
>
> If you could sign the tarballs you publish, it would be just enough. Why
> are you saying that you don't plan to do that?
Well I don't package KDE releases at this point anyways so any signatures I
made would still be non-authoritative.
As far as those who *do* package KDE (the Release Team) they have their own
mailing list where this idea would be better brought up (release-
team@kde.org). From what I remember of Gnu PG it shouldn't be too hard to add
this step to the release checklist, essentially we'd just need to make a key
and publish it and have a bunch of KDE devs and packagers sign it to start the
web of trust.
The hard part would be ensuring that the private key is kept safe and only
given to the persons who strictly need it. On the other hand ideally this
would be more than one person. ;)
Regards,
- Michael Pyne
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic