From kde-devel  Wed May 26 12:55:32 2010
From: Tobias Ellinghaus <houz () gmx ! de>
Date: Wed, 26 May 2010 12:55:32 +0000
To: kde-devel
Subject: Re: Proposal: Implementing signing process for official tarballs (try
Message-Id: <201005261455.33108.houz () gmx ! de>
X-MARC-Message: https://marc.info/?l=kde-devel&m=127487859812460
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--===============1342594542=="

--===============1342594542==
Content-Type: multipart/signed;
  boundary="nextPart1333137.YnSvVWgfJA";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

--nextPart1333137.YnSvVWgfJA
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:

[...]

> Digital Signatures can prove that a given file is authentic, i.e. that
> is has been indeed created by a person that signed it (e.g. KDE release
> manager), and that its contents has not been tampered since then.

No, it only proves that a specific key has been used to sign the file=20
(provided that it's hard to forge the signature). It does not prove whether=
=20
the user or a virus, someone who stole/found the key, =E2=80=A6 signed it.

[...]

I also miss a few words about revocation of compromised keys. That could be=
=20
user keys which got lost or (worst case) the master key.

Tobias

=2D-=20
DISCLAIMER:
Wasn't me! A monkey sat at my keyboard and typed one key per second for five
years until he got this!

--nextPart1333137.YnSvVWgfJA
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAkv9GkUACgkQhlAas3T3qohlLACZATHY/Ccwiqvo0YFkZ77ogpzm
QP4AoJm0uPyqXxSfwxfUZ9UF3kW5MEPk
=dPyt
-----END PGP SIGNATURE-----

--nextPart1333137.YnSvVWgfJA--

--===============1342594542==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

--===============1342594542==--