From kde-devel Wed May 26 10:40:42 2010 From: Ben Cooksley Date: Wed, 26 May 2010 10:40:42 +0000 To: kde-devel Subject: Re: digital signatures for kde sources? Message-Id: X-MARC-Message: https://marc.info/?l=kde-devel&m=127487067100912 On Wed, May 26, 2010 at 10:31 PM, Joanna Rutkowska wrote: > On 05/26/2010 11:28 AM, Andreas Pakulat wrote: >> On 26.05.10 11:04:34, Joanna Rutkowska wrote: >>> On 05/26/2010 10:54 AM, Andreas Pakulat wrote: >>>> On 26.05.10 02:50:18, Joanna Rutkowska wrote: >>>>> On 05/26/2010 02:31 AM, Michael Pyne wrote: >>>>>> As far as those who *do* package KDE (the Release Team) they have their own >>>>>> mailing list where this idea would be better brought up (release- >>>>>> team@kde.org). >>>>> >>>>> But I need the signature from the original authors >>>>> (commiters/release-managers). >>>> >>>> As was said, thats technically not feasible at the moment, let alone >>>> that it would increase the barrier of entry quite a bit for >>>> commit-access to KDE. We're very different here in comparison to the >>>> linux kernel as we have lots of people with access rights to the main >>>> repository, while in the case of the linux kernel basically only Linus >>>> merges stuff into the mainline repository. >>>> >>>> So signing the tarballs would be done with a KDE key by whoever does the >>>> release (thats one person usually right now). But this only covers the >>>> trunk/KDE/kde* modules, not any extragear and other apps as those are >>>> done by other people usually. >>>> >>> >>> Can you explain (or point me to an appropriate document) how is the >>> release process done in KDE project? Who decides that you're releasing a >>> particular version at a particular time? Who builds and uploads the >>> final stable tarball? Who hits the "Enter" button? >> >> This is all done by the already-mentioned release-team on the already >> mentioned release-team mailinglist. Someone proposes a release-schedule, >> its discussed and then put up on our techbase.kde.org server. Beyond >> that there's no "rules" who creates/uploads the tarballs, but most of >> the time its done by Dirk Mueller. This procedure however is only >> applicable for the main KDE modules (trunk/KDE/*), apps from extragear >> may have their own process. >> > > Fair enough -- I will write a signing process proposal and send to > release-team list. However, I would appreciate if somebody could tell me > how to subscribe to that list -- I just tried the usual way (sending a > mail to listname-request@kde.org), but got this error: Please see https://mail.kde.org/mailman/listinfo/release-team > > > Hi. This is the qmail-send program at ktown.kde.org. > I'm afraid I wasn't able to deliver your message to the following addresses. > This is a permanent error; I've given up. Sorry it didn't work out. > > : > Sorry, no mailbox here by that name. (#5.1.1) > > > j. > > > >>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe << > > Regards, Ben >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<