From kde-devel  Wed May 26 00:37:57 2010
From: Brad Hards <bradh () frogmouth ! net>
Date: Wed, 26 May 2010 00:37:57 +0000
To: kde-devel
Subject: Re: digital signatures for kde sources?
Message-Id: <201005261037.58309.bradh () frogmouth ! net>
X-MARC-Message: https://marc.info/?l=kde-devel&m=127483424528425

On Wednesday 26 May 2010 10:23:25 am Joanna Rutkowska wrote:
> On 05/26/2010 02:11 AM, Michael Pyne wrote:
> > It would be possible to sign tagged branches or what not by doing svn
> > export and signing the tarball but as you've already noted we don't go
> > that far.
> 
> If you could sign the tarballs you publish, it would be just enough. Why
> are you saying that you don't plan to do that?
I think he said that KDE doesn't do that, and doesn't plan to.

> I'm currently in the process of packaging KDE for our Qubes OS, and I
> *really* would welcome a reliable way to verify that packages I download
> from kde.org are indeed what kde.org commiters have published, before I
> package them and distribute as part of my system...
Who would you trust to sign them?

> Security of any system should be build on strong foundations --
> otherwise it all doesn't make any sense.
This logic is basically one about putting an extra padlock on the front door, 
when there is no back wall. There are 2395 svn accounts that can write to the 
repository, which is probably a much easier (i.e. more likely) place to 
introduce untrustworthy code than the package tarballs.

Brad
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<