From kde-devel  Wed May 26 09:04:34 2010
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: Wed, 26 May 2010 09:04:34 +0000
To: kde-devel
Subject: Re: digital signatures for kde sources?
Message-Id: <4BFCE422.9080405 () invisiblethingslab ! com>
X-MARC-Message: https://marc.info/?l=kde-devel&m=127486462325145
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--===============1856116500=="

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============1856116500==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigD588F4BE64A604F9057143E4"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD588F4BE64A604F9057143E4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 05/26/2010 10:54 AM, Andreas Pakulat wrote:
> On 26.05.10 02:50:18, Joanna Rutkowska wrote:
>> On 05/26/2010 02:31 AM, Michael Pyne wrote:
>>> As far as those who *do* package KDE (the Release Team) they have the=
ir own=20
>>> mailing list where this idea would be better brought up (release-
>>> team@kde.org).
>>
>> But I need the signature from the original authors
>> (commiters/release-managers).
>=20
> As was said, thats technically not feasible at the moment, let alone
> that it would increase the barrier of entry quite a bit for
> commit-access to KDE. We're very different here in comparison to the
> linux kernel as we have lots of people with access rights to the main
> repository, while in the case of the linux kernel basically only Linus
> merges stuff into the mainline repository.=20
>=20
> So signing the tarballs would be done with a KDE key by whoever does th=
e
> release (thats one person usually right now). But this only covers the
> trunk/KDE/kde* modules, not any extragear and other apps as those are
> done by other people usually.
>=20

Can you explain (or point me to an appropriate document) how is the
release process done in KDE project? Who decides that you're releasing a
particular version at a particular time? Who builds and uploads the
final stable tarball? Who hits the "Enter" button?

joanna.


--------------enigD588F4BE64A604F9057143E4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv85CIACgkQORdkotfEW85LHwCeLeMZ6k+lTVY7OWWlu1lxoc0H
BPoAoL/2ffe6dHtvaaxJtrey+lWZFgNd
=BYMb
-----END PGP SIGNATURE-----

--------------enigD588F4BE64A604F9057143E4--

--===============1856116500==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

--===============1856116500==--