[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2010-05-26 9:10:13
Message-ID: 4BFCE575.5010002 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 05/26/2010 10:59 AM, Andreas Pakulat wrote:
> On 26.05.10 01:47:39, Joanna Rutkowska wrote:
>> On 05/25/2010 10:25 PM, Lubos Lunak wrote:
>>> On Tuesday 25 of May 2010, Joanna Rutkowska wrote:
>>>> Hello,
>>>>
>>>> Where can I get digital signatures for KDE source code. Say, for the
>>>> stable tarballs published in the FTP:
>>>>
>>>> ftp://ftp.kde.org/pub/kde/stable/
>>>
>>> The release info pages (e.g. http://kde.org/info/4.4.3.php) have SHA1 sums.
>>>
>>
>> Publishing SHA1 sum on the same server, via plaintext HTTP, doesn't
>> change anything in terms of security.
>
> How do you know its the same server? I at least get 2 different IP's.
>
I don't understand the question? Please rephrase.
>> If somebody was able to subvert
>> the tarball I'm downloading (e.g. because he or she compromised the
>> kde.org's FTP server, or one of the routers in between, or doing some
>> DNS protocol attack, or hacked into my WiFi), this person would also be
>> able to subvert this SHA1 sum to match the subverted binary.
>>
>> KDE should be publishing real digital signatures (e.g. using GPG), not
>> just the hashes.
>
> Well, as we're mostly a developer community we go by "who codes
> decides", so if you want to have that you'll have to make the first step
> at implementing it (which is suggesting it to the right people).
>
Well, everything you need has already been implemented:
http://gnupg.org/
:)
joanna.
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic