[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: digital signatures for kde sources?
From:       Brad Hards <bradh () frogmouth ! net>
Date:       2010-05-26 0:37:57
Message-ID: 201005261037.58309.bradh () frogmouth ! net
[Download RAW message or body]

On Wednesday 26 May 2010 10:23:25 am Joanna Rutkowska wrote:
> On 05/26/2010 02:11 AM, Michael Pyne wrote:
> > It would be possible to sign tagged branches or what not by doing svn
> > export and signing the tarball but as you've already noted we don't go
> > that far.
> 
> If you could sign the tarballs you publish, it would be just enough. Why
> are you saying that you don't plan to do that?
I think he said that KDE doesn't do that, and doesn't plan to.

> I'm currently in the process of packaging KDE for our Qubes OS, and I
> *really* would welcome a reliable way to verify that packages I download
> from kde.org are indeed what kde.org commiters have published, before I
> package them and distribute as part of my system...
Who would you trust to sign them?

> Security of any system should be build on strong foundations --
> otherwise it all doesn't make any sense.
This logic is basically one about putting an extra padlock on the front door, 
when there is no back wall. There are 2395 svn accounts that can write to the 
repository, which is probably a much easier (i.e. more likely) place to 
introduce untrustworthy code than the package tarballs.

Brad
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]