[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: digital signatures for kde sources?
From:       Andreas Pakulat <apaku () gmx ! de>
Date:       2010-05-26 8:59:17
Message-ID: 20100526085917.GB18375 () barmbek
[Download RAW message or body]

On 26.05.10 01:47:39, Joanna Rutkowska wrote:
> On 05/25/2010 10:25 PM, Lubos Lunak wrote:
> > On Tuesday 25 of May 2010, Joanna Rutkowska wrote:
> >> Hello,
> >>
> >> Where can I get digital signatures for KDE source code. Say, for the
> >> stable tarballs published in the FTP:
> >>
> >> ftp://ftp.kde.org/pub/kde/stable/
> > 
> >  The release info pages (e.g. http://kde.org/info/4.4.3.php) have SHA1 sums.
> > 
> 
> Publishing SHA1 sum on the same server, via plaintext HTTP, doesn't
> change anything in terms of security.

How do you know its the same server? I at least get 2 different IP's.

> If somebody was able to subvert
> the tarball I'm downloading (e.g. because he or she compromised the
> kde.org's FTP server, or one of the routers in between, or doing some
> DNS protocol attack, or hacked into my WiFi), this person would also be
> able to subvert this SHA1 sum to match the subverted binary.
> 
> KDE should be publishing real digital signatures (e.g. using GPG), not
> just the hashes.

Well, as we're mostly a developer community we go by "who codes
decides", so if you want to have that you'll have to make the first step
at implementing it (which is suggesting it to the right people).

Andreas

-- 
Your life would be very empty if you had nothing to regret.
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]