From kde-devel Wed May 26 06:04:57 2010 From: Ryan Rix Date: Wed, 26 May 2010 06:04:57 +0000 To: kde-devel Subject: Re: digital signatures for kde sources? Message-Id: <201005252305.06277.ry () n ! rix ! si> X-MARC-Message: https://marc.info/?l=kde-devel&m=127485399712641 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============0604521602==" --===============0604521602== Content-Type: multipart/signed; boundary="nextPart1573721.kobLp5ezHr"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1573721.kobLp5ezHr Content-Type: Text/Plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable On Tue 25 May 2010 4:47:39 pm Joanna Rutkowska wrote: > On 05/25/2010 10:25 PM, Lubos Lunak wrote: > > On Tuesday 25 of May 2010, Joanna Rutkowska wrote: > >> Hello, > >>=20 > >> Where can I get digital signatures for KDE source code. Say, for the > >> stable tarballs published in the FTP: > >>=20 > >> ftp://ftp.kde.org/pub/kde/stable/ > >>=20 > > The release info pages (e.g. http://kde.org/info/4.4.3.php) have SHA1 > > sums. >=20 > Publishing SHA1 sum on the same server, via plaintext HTTP, doesn't > change anything in terms of security. If somebody was able to subvert > the tarball I'm downloading (e.g. because he or she compromised the > kde.org's FTP server, or one of the routers in between, or doing some > DNS protocol attack, or hacked into my WiFi), this person would also be > able to subvert this SHA1 sum to match the subverted binary. >=20 > KDE should be publishing real digital signatures (e.g. using GPG), not > just the hashes. IMHO, throwing around "You're doing it wrong"s is not the way to solve=20 things... Join the release-team list, bring it up with them. Hell, even off= er=20 to help the release team implement this... :) Clearly there isn't really th= e=20 resources for anyone on the team to implement this, currently, hence the=20 pushback... remember we just pushed 4.5b1, a lot is going on. If you really want something to happen, make it happen. > joanna. Ryan =2D-=20 Ryan Rix =3D=3D http://hackersramblings.wordpress.com | http://rix.si/ =3D=3D --nextPart1573721.kobLp5ezHr Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAABAgAGBQJL/LoSAAoJEF9mr7wNI274e+EP/1lg1LrMin9Uptw6M0ch6WvP a3vrW0MjtffLiEOYKM7nUi8M03abp/zlD7KwYAhPe98u2ea6JjrmRAnZ7OSLFwIs B2gSNFEMM7ELxlnbHwBbpELo55CUAGH/KZ/xOogW3/x+QBFsqjLKIX7jOQDwxcu9 QJRiBdEFRBuSiVglUfNwUmTG7LkTDysZm0RnmFMkXpvVSxS839YeeURLmIcMppKy 6XrUAcD//6D5jHCBI5JfMmvf2AJsgds3LDjjbET4k8OUZh9rNWsK9Q5f0VQWftvf GA/2MyHrKYy5ydfW/5dYcXpJnBv9Y0Q8e3mnYbu4RsK/FV8nVKycNcsUXBc4zZVR 53Z72tpRh2U6IquilOHJQh6XbK6e+e3trW2jeea4pnDCXsjzODwYDjFIXiXxxKG+ 5LoQElMwBQ/Vm4YDS9avyD0WwSvAlZnuzNEde5dceG947FjS7DOjbjPru7NxtT1X JwIrAZg6ZoTYHDMxLprxte2FspS5ct59U3Yl/Hr5XxKO6FDfzdHu1xrJ1xIjN3NP npAPQILH2L4mKB/AysLy7T2fym3QxA7g3bDz2kQx5rFzdda5gta8AMXujuM/PIck 12wjKre+//HUqZN+oQv6jf5AUwDy0DhmxnZO6UVYgb0wxtX17/FX30ziD0+G9IuQ wiXufm/2auRvWWr4u97Q =QLFV -----END PGP SIGNATURE----- --nextPart1573721.kobLp5ezHr-- --===============0604521602== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe << --===============0604521602==--