[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: digital signatures for kde sources?
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: 2010-05-26 10:31:20
Message-ID: 4BFCF878.5050500 () invisiblethingslab ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On 05/26/2010 11:28 AM, Andreas Pakulat wrote:
> On 26.05.10 11:04:34, Joanna Rutkowska wrote:
>> On 05/26/2010 10:54 AM, Andreas Pakulat wrote:
>>> On 26.05.10 02:50:18, Joanna Rutkowska wrote:
>>>> On 05/26/2010 02:31 AM, Michael Pyne wrote:
>>>>> As far as those who *do* package KDE (the Release Team) they have their own
>>>>> mailing list where this idea would be better brought up (release-
>>>>> team@kde.org).
>>>>
>>>> But I need the signature from the original authors
>>>> (commiters/release-managers).
>>>
>>> As was said, thats technically not feasible at the moment, let alone
>>> that it would increase the barrier of entry quite a bit for
>>> commit-access to KDE. We're very different here in comparison to the
>>> linux kernel as we have lots of people with access rights to the main
>>> repository, while in the case of the linux kernel basically only Linus
>>> merges stuff into the mainline repository.
>>>
>>> So signing the tarballs would be done with a KDE key by whoever does the
>>> release (thats one person usually right now). But this only covers the
>>> trunk/KDE/kde* modules, not any extragear and other apps as those are
>>> done by other people usually.
>>>
>>
>> Can you explain (or point me to an appropriate document) how is the
>> release process done in KDE project? Who decides that you're releasing a
>> particular version at a particular time? Who builds and uploads the
>> final stable tarball? Who hits the "Enter" button?
>
> This is all done by the already-mentioned release-team on the already
> mentioned release-team mailinglist. Someone proposes a release-schedule,
> its discussed and then put up on our techbase.kde.org server. Beyond
> that there's no "rules" who creates/uploads the tarballs, but most of
> the time its done by Dirk Mueller. This procedure however is only
> applicable for the main KDE modules (trunk/KDE/*), apps from extragear
> may have their own process.
>
Fair enough -- I will write a signing process proposal and send to
release-team list. However, I would appreciate if somebody could tell me
how to subscribe to that list -- I just tried the usual way (sending a
mail to listname-request@kde.org), but got this error:
<quote>
Hi. This is the qmail-send program at ktown.kde.org.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<kde-release-team-request@kde.org>:
Sorry, no mailbox here by that name. (#5.1.1)
</>
j.
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic