[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Proposal: Implementing signing process for official tarballs (try
From: Tobias Ellinghaus <houz () gmx ! de>
Date: 2010-05-26 12:55:32
Message-ID: 201005261455.33108.houz () gmx ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
[...]
> Digital Signatures can prove that a given file is authentic, i.e. that
> is has been indeed created by a person that signed it (e.g. KDE release
> manager), and that its contents has not been tampered since then.
No, it only proves that a specific key has been used to sign the file
(provided that it's hard to forge the signature). It does not prove whether
the user or a virus, someone who stole/found the key, … signed it.
[...]
I also miss a few words about revocation of compromised keys. That could be
user keys which got lost or (worst case) the master key.
Tobias
--
DISCLAIMER:
Wasn't me! A monkey sat at my keyboard and typed one key per second for five
years until he got this!
["signature.asc" (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic