[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: digital signatures for kde sources?
From:       Andreas Pakulat <apaku () gmx ! de>
Date:       2010-05-26 8:54:41
Message-ID: 20100526085441.GA18375 () barmbek
[Download RAW message or body]

On 26.05.10 02:50:18, Joanna Rutkowska wrote:
> On 05/26/2010 02:31 AM, Michael Pyne wrote:
> > As far as those who *do* package KDE (the Release Team) they have their own 
> > mailing list where this idea would be better brought up (release-
> > team@kde.org).
> 
> But I need the signature from the original authors
> (commiters/release-managers).

As was said, thats technically not feasible at the moment, let alone
that it would increase the barrier of entry quite a bit for
commit-access to KDE. We're very different here in comparison to the
linux kernel as we have lots of people with access rights to the main
repository, while in the case of the linux kernel basically only Linus
merges stuff into the mainline repository. 

So signing the tarballs would be done with a KDE key by whoever does the
release (thats one person usually right now). But this only covers the
trunk/KDE/kde* modules, not any extragear and other apps as those are
done by other people usually.

> > From what I remember of Gnu PG it shouldn't be too hard to add 
> > this step to the release checklist, essentially we'd just need to make a key 
> > and publish it and have a bunch of KDE devs and packagers sign it to start the 
> > web of trust.
> > 
> > The hard part would be ensuring that the private key is kept safe and only 
> > given to the persons who strictly need it. On the other hand ideally this 
> > would be more than one person. ;)
> 
> Instead of having just one private key, it would be much better for
> every commiter/release-manager or whoever is responsible for building
> the stable tarballs, to generate their own private key and use it for
> signing. Then, there should be one "master signing key" that would be
> kept on some safe machine (perhaps used just for the purpose of
> generating and using this key) and which would be used to sign all the
> "authorized" developers keys. This key (the public portion) would be
> published on kde.org website, and you can also send it to kde-devel
> list, to make it possible for people to obtain it from 2 different
> sources (I guess kde-devel is widely mirrored over internet, so it would
> not be feasible for the attacker to subvert this public key in all the
> places). Perhaps only the top 2 or 3 most trusted KDE developers (I'm
> sorry I don't know the management structure of the project) should have
> access to the master signing key.

Thats the thing we don't have a hierarchical model with n (n < 5) people
at the top like in the linux-kernel case. We have a very broad
structure, even the release-team consists of at least 5 active people.
Every main module has its own release-coordinator but most of the time
they decide together with their team.

Andreas

-- 
While you recently had your problems on the run, they've regrouped and
are making another attack.
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]