From kde-devel Wed May 26 08:54:41 2010 From: Andreas Pakulat Date: Wed, 26 May 2010 08:54:41 +0000 To: kde-devel Subject: Re: digital signatures for kde sources? Message-Id: <20100526085441.GA18375 () barmbek> X-MARC-Message: https://marc.info/?l=kde-devel&m=127486415624555 On 26.05.10 02:50:18, Joanna Rutkowska wrote: > On 05/26/2010 02:31 AM, Michael Pyne wrote: > > As far as those who *do* package KDE (the Release Team) they have their own > > mailing list where this idea would be better brought up (release- > > team@kde.org). > > But I need the signature from the original authors > (commiters/release-managers). As was said, thats technically not feasible at the moment, let alone that it would increase the barrier of entry quite a bit for commit-access to KDE. We're very different here in comparison to the linux kernel as we have lots of people with access rights to the main repository, while in the case of the linux kernel basically only Linus merges stuff into the mainline repository. So signing the tarballs would be done with a KDE key by whoever does the release (thats one person usually right now). But this only covers the trunk/KDE/kde* modules, not any extragear and other apps as those are done by other people usually. > > From what I remember of Gnu PG it shouldn't be too hard to add > > this step to the release checklist, essentially we'd just need to make a key > > and publish it and have a bunch of KDE devs and packagers sign it to start the > > web of trust. > > > > The hard part would be ensuring that the private key is kept safe and only > > given to the persons who strictly need it. On the other hand ideally this > > would be more than one person. ;) > > Instead of having just one private key, it would be much better for > every commiter/release-manager or whoever is responsible for building > the stable tarballs, to generate their own private key and use it for > signing. Then, there should be one "master signing key" that would be > kept on some safe machine (perhaps used just for the purpose of > generating and using this key) and which would be used to sign all the > "authorized" developers keys. This key (the public portion) would be > published on kde.org website, and you can also send it to kde-devel > list, to make it possible for people to obtain it from 2 different > sources (I guess kde-devel is widely mirrored over internet, so it would > not be feasible for the attacker to subvert this public key in all the > places). Perhaps only the top 2 or 3 most trusted KDE developers (I'm > sorry I don't know the management structure of the project) should have > access to the master signing key. Thats the thing we don't have a hierarchical model with n (n < 5) people at the top like in the linux-kernel case. We have a very broad structure, even the release-team consists of at least 5 active people. Every main module has its own release-coordinator but most of the time they decide together with their team. Andreas -- While you recently had your problems on the run, they've regrouped and are making another attack. >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<