[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Andreas Pakulat <apaku () gmx ! de>
Date: 2010-05-26 9:31:49
Message-ID: 20100526093149.GD18375 () barmbek
[Download RAW message or body]
On 26.05.10 11:10:13, Joanna Rutkowska wrote:
> On 05/26/2010 10:59 AM, Andreas Pakulat wrote:
> > On 26.05.10 01:47:39, Joanna Rutkowska wrote:
> >> On 05/25/2010 10:25 PM, Lubos Lunak wrote:
> >>> On Tuesday 25 of May 2010, Joanna Rutkowska wrote:
> >>>> Hello,
> >>>>
> >>>> Where can I get digital signatures for KDE source code. Say, for the
> >>>> stable tarballs published in the FTP:
> >>>>
> >>>> ftp://ftp.kde.org/pub/kde/stable/
> >>>
> >>> The release info pages (e.g. http://kde.org/info/4.4.3.php) have SHA1 sums.
> >>>
> >>
> >> Publishing SHA1 sum on the same server, via plaintext HTTP, doesn't
> >> change anything in terms of security.
> >
> > How do you know its the same server? I at least get 2 different IP's.
> >
> I don't understand the question? Please rephrase.
You're claiming that the sha1 sum is published on the same server as the
tarballs. I'd just like to know how you know that this is the case as
both have different IP's.
> >> If somebody was able to subvert
> >> the tarball I'm downloading (e.g. because he or she compromised the
> >> kde.org's FTP server, or one of the routers in between, or doing some
> >> DNS protocol attack, or hacked into my WiFi), this person would also be
> >> able to subvert this SHA1 sum to match the subverted binary.
> >>
> >> KDE should be publishing real digital signatures (e.g. using GPG), not
> >> just the hashes.
> >
> > Well, as we're mostly a developer community we go by "who codes
> > decides", so if you want to have that you'll have to make the first step
> > at implementing it (which is suggesting it to the right people).
> >
>
> Well, everything you need has already been implemented:
> http://gnupg.org/
Thats just the tools, but there also has to be a process implemented.
Don't get me wrong, signing the tarballs is certainly a good idea.
Andreas
--
You get along very well with everyone except animals and people.
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic