From kde-devel  Wed May 26 00:55:30 2010
From: Michael Pyne <mpyne () kde ! org>
Date: Wed, 26 May 2010 00:55:30 +0000
To: kde-devel
Subject: Re: digital signatures for kde sources?
Message-Id: <201005252055.31097.mpyne () kde ! org>
X-MARC-Message: https://marc.info/?l=kde-devel&m=127483539729528
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--===============0496998142=="

--===============0496998142==
Content-Type: multipart/signed;
  boundary="nextPart42505920.fmNhoBKYdt";
  protocol="application/pgp-signature";
  micalg=pgp-sha256
Content-Transfer-Encoding: 7bit

--nextPart42505920.fmNhoBKYdt
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Tuesday, May 25, 2010 20:52:45 Joanna Rutkowska wrote:
> On 05/26/2010 02:37 AM, Brad Hards wrote:
> >> Security of any system should be build on strong foundations --
> >> otherwise it all doesn't make any sense.
> >=20
> > This logic is basically one about putting an extra padlock on the front
> > door, when there is no back wall. There are 2395 svn accounts that can
> > write to the repository, which is probably a much easier (i.e. more
> > likely) place to introduce untrustworthy code than the package tarballs.
>=20
> Are you saying there is absolutely no control of what code goes into
> official tarballs?

No, he's saying there's 2395 separate svn accounts that can add code to the=
=20
repository.

All the commits are sent to a mailing list where interested parties can tra=
ck=20
the changes and obviously bad commits can be backed out after the fact. But=
 we=20
do not have a policy anywhere near as stringent as Mozilla's for instance=20
regarding getting an SVN account.

Regards,
 - Michael Pyne

--nextPart42505920.fmNhoBKYdt
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAABCAAGBQJL/HGCAAoJEAuvDJx7aunyQDgP/j0yuIOXb0jQSLCTX3KT8H8H
HJ3XlbmuRg2rDzH9SF7t2bn0p9V2Mjkok4k5Eozqu1Oh7WW3g12zs9zVEBv/TKjU
jzh7DPX8WXGhW+ZZ0vF/EJIrS5QKBjI6NL9+o6VtvY3eLC8HDy8R1gRz90F2EZM3
gL4FYEa4ONphoS+qx3ofzKuE4Pa23SOQqGNcY5SR9Vw6ePjbnhahNhOnT9+zfWry
GrpioV/PNqVKPhmSsqhRar6yto+PoTHo7yVPAMR5Hkn8wOm7NBX/ml1u/2vqIFA2
d1C7SKaUp8+MA/mz9HXlDDup24PbANZ6B2PnXdbIZ3F+GzEtyVvmHrJnU83cAueo
4fzdqxhDOlqzciVEKmc3zbXZ/euTver3+TrKC4qtNzVgzrmbVbEKW/5KuXmmsaSL
Dg1/eXryT8iuXQ2bltgxMJ2xGRkFX8Yo7e2YA7m+cYzrmG5rz8iTDxsTfEky/f99
6qNP3fRG4l3qO+unoYb0KOqMD1FVziQjx1Gc4tTJWJt3wruONh/XQ7vpymkv+PLK
JkrzwiOxc0MP3ttNwnJZABXRkkfR1BBPUFFcnmfxQTS8KnLrTzMwqreqAIdBElEQ
X8NaLcK0LccvD9p0tvSlTyERMSJgeUYVoN6lcpy6yVM2+tqDVBJkfW7oyWKGP2HT
KcuR+fszKpunRpQ25exK
=0MNB
-----END PGP SIGNATURE-----

--nextPart42505920.fmNhoBKYdt--

--===============0496998142==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

--===============0496998142==--