From kde-devel Wed May 26 10:10:40 2010 From: Scott Kitterman Date: Wed, 26 May 2010 10:10:40 +0000 To: kde-devel Subject: Re: digital signatures for kde sources? Message-Id: X-MARC-Message: https://marc.info/?l=kde-devel&m=127486868730635 "Joanna Rutkowska" wrote: >On 05/26/2010 03:49 AM, Scott Kitterman wrote: >>> Instead of having just one private key, it would be much better for >>> every commiter/release-manager or whoever is responsible for building >>> the stable tarballs, to generate their own private key and use it for >>> signing. Then, there should be one "master signing key" that would be >>> kept on some safe machine (perhaps used just for the purpose of >>> generating and using this key) and which would be used to sign all the >>> "authorized" developers keys. This key (the public portion) would be >>> published on kde.org website, and you can also send it to kde-devel >>> list, to make it possible for people to obtain it from 2 different >>> sources (I guess kde-devel is widely mirrored over internet, so it would >>> not be feasible for the attacker to subvert this public key in all the >>> places). Perhaps only the top 2 or 3 most trusted KDE developers (I'm >>> sorry I don't know the management structure of the project) should have >>> access to the master signing key. >>> >> Speaking as an Ubuntu packager, we maintain in transit assurance of >> package integrity by retrieving the tarballs via sftp. If someone >> can MITM my SSH session, then there's a lot better things they can >> do with it than modify KDE tarballs in transit. >> > >That's certainly better than relaying on the SHA1 hash embedded on the >plaintext HTML page. But still doesn't help if somebody compromised the >KDE's ftp server. You might comfort yourself that this is unlikely to >happen, but the reality is simply different ... Which is why I specified in transit assurance. I agree signing would be better, but thought it reasonable to point out that at least part of the problem had a reasonable solution in place already. Scott K >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<