[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Michael Pyne <mpyne () kde ! org>
Date: 2010-05-26 0:55:30
Message-ID: 201005252055.31097.mpyne () kde ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Tuesday, May 25, 2010 20:52:45 Joanna Rutkowska wrote:
> On 05/26/2010 02:37 AM, Brad Hards wrote:
> >> Security of any system should be build on strong foundations --
> >> otherwise it all doesn't make any sense.
> >
> > This logic is basically one about putting an extra padlock on the front
> > door, when there is no back wall. There are 2395 svn accounts that can
> > write to the repository, which is probably a much easier (i.e. more
> > likely) place to introduce untrustworthy code than the package tarballs.
>
> Are you saying there is absolutely no control of what code goes into
> official tarballs?
No, he's saying there's 2395 separate svn accounts that can add code to the
repository.
All the commits are sent to a mailing list where interested parties can track
the changes and obviously bad commits can be backed out after the fact. But we
do not have a policy anywhere near as stringent as Mozilla's for instance
regarding getting an SVN account.
Regards,
- Michael Pyne
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic