[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Proposal: Implementing signing process for official tarballs (
From: Jeffery MacEachern <j.maceachern () gmail ! com>
Date: 2010-05-26 16:09:19
Message-ID: 1274890159.3694.9.camel () Nokia-N900
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
----- Original message -----
> Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
> > On 05/26/2010 02:55 PM, Tobias Ellinghaus wrote:
> > > Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
> > >
> > > [...]
> > >
> > > > Digital Signatures can prove that a given file is authentic, i.e.
> > > > that is has been indeed created by a person that signed it (e.g.
> > > > KDE release manager), and that its contents has not been tampered
> > > > since then.
> > >
> > > No, it only proves that a specific key has been used to sign the file
> > > (provided that it's hard to forge the signature). It does not prove
> > > whether the user or a virus, someone who stole/found the key, …
> > > signed it.
> >
> > That's absolutely true. That's why security of the desktop OS is so
> > important. But I made a (silent) assumption that any serious
> > developer/package manager, would be using a dedicated machine for
> > development/packaging/signing. Specifically would not be using the same
> > machine for also browsing the Web, etc.
>
> I dare to doubt that many developers can or want to afford the expenses
> and hassle to have an extra computer standing around just for signing
> and stuff.
I would also note that one wouldn't need anything expensive for merely signing \
tarballs; an older machine - more than capable of doing such tasks - can probably be \
built for cheap or free (or pulled out of the closet, in the case of some people).
>
> > joanna.
>
> Tobias
>
> --
> "Programming today is a race between software engineers striving to
> build bigger and better idiot-proof programs, and the Universe trying
> to produce bigger and better idiots. So far, the Universe is winning."
> - Rich Cook
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" \
"http://www.w3.org/TR/html4/loose.dtd"> <html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="generator" content="Osso Notes">
<title></title></head>
<body>
<p>----- Original message -----
<br>> Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
<br>> > On 05/26/2010 02:55 PM, Tobias Ellinghaus wrote:
<br>> > > Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
<br>> > >
<br>> > > [...]
<br>> > >
<br>> > > > Digital Signatures can prove that a given file is authentic, \
i.e. <br>> > > > that is has been indeed created by a person that signed \
it (e.g. <br>> > > > KDE release manager), and that its contents has not \
been tampered <br>> > > > since then.
<br>> > >
<br>> > > No, it only proves that a specific key has been used to sign the \
file <br>> > > (provided that it's hard to forge the signature). It does not \
prove <br>> > > whether the user or a virus, someone who stole/found the \
key, … <br>> > > signed it.
<br>> >
<br>> > That's absolutely true. That's why security of the desktop OS is so
<br>> > important. But I made a (silent) assumption that any serious
<br>> > developer/package manager, would be using a dedicated machine for
<br>> > development/packaging/signing. Specifically would not be using the same
<br>> > machine for also browsing the Web, etc.
<br>>
<br>> I dare to doubt that many developers can or want to afford the expenses
<br>> and  hassle to have an extra computer standing around just for \
signing <br>> and stuff.
<br>I would also note that one wouldn't need anything expensive for merely signing \
tarballs; an older machine - more than capable of doing such tasks - can probably be \
built for cheap or free (or pulled out of the closet, in the case of some people). \
<br>> <br>> > joanna.
<br>>
<br>> Tobias
<br>>
<br>> --
<br>> "Programming today is a race between software engineers striving to
<br>> build bigger and better idiot-proof programs, and the Universe trying
<br>> to produce bigger and better idiots. So far, the Universe is winning."
<br>> - Rich Cook
<br><br></p>
</body>
</html>
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic