[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Ryan Rix <ry () n ! rix ! si>
Date: 2010-05-26 6:04:57
Message-ID: 201005252305.06277.ry () n ! rix ! si
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Tue 25 May 2010 4:47:39 pm Joanna Rutkowska wrote:
> On 05/25/2010 10:25 PM, Lubos Lunak wrote:
> > On Tuesday 25 of May 2010, Joanna Rutkowska wrote:
> >> Hello,
> >>
> >> Where can I get digital signatures for KDE source code. Say, for the
> >> stable tarballs published in the FTP:
> >>
> >> ftp://ftp.kde.org/pub/kde/stable/
> >>
> > The release info pages (e.g. http://kde.org/info/4.4.3.php) have SHA1
> > sums.
>
> Publishing SHA1 sum on the same server, via plaintext HTTP, doesn't
> change anything in terms of security. If somebody was able to subvert
> the tarball I'm downloading (e.g. because he or she compromised the
> kde.org's FTP server, or one of the routers in between, or doing some
> DNS protocol attack, or hacked into my WiFi), this person would also be
> able to subvert this SHA1 sum to match the subverted binary.
>
> KDE should be publishing real digital signatures (e.g. using GPG), not
> just the hashes.
IMHO, throwing around "You're doing it wrong"s is not the way to solve
things... Join the release-team list, bring it up with them. Hell, even offer
to help the release team implement this... :) Clearly there isn't really the
resources for anyone on the team to implement this, currently, hence the
pushback... remember we just pushed 4.5b1, a lot is going on.
If you really want something to happen, make it happen.
> joanna.
Ryan
--
Ryan Rix
== http://hackersramblings.wordpress.com | http://rix.si/ ==
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic