'Re: Proposal: Implementing signing process for official tarballs ('

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Proposal: Implementing signing process for official tarballs (
From:       Jeffery MacEachern <j.maceachern () gmail ! com>
Date:       2010-05-26 16:09:19
Message-ID: 1274890159.3694.9.camel () Nokia-N900
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

----- Original message -----
> Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
> > On 05/26/2010 02:55 PM, Tobias Ellinghaus wrote:
> > > Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
> > > 
> > > [...]
> > > 
> > > > Digital Signatures can prove that a given file is authentic, i.e.
> > > > that is has been indeed created by a person that signed it (e.g.
> > > > KDE release manager), and that its contents has not been tampered
> > > > since then.
> > > 
> > > No, it only proves that a specific key has been used to sign the file
> > > (provided that it's hard to forge the signature). It does not prove
> > > whether the user or a virus, someone who stole/found the key, …
> > > signed it.
> > 
> > That's absolutely true. That's why security of the desktop OS is so
> > important. But I made a (silent) assumption that any serious
> > developer/package manager, would be using a dedicated machine for
> > development/packaging/signing. Specifically would not be using the same
> > machine for also browsing the Web, etc.
> 
> I dare to doubt that many developers can or want to afford the expenses
> and    hassle to have an extra computer standing around just for signing
> and stuff.
I would also note that one wouldn't need anything expensive for merely signing \
tarballs; an older machine - more than capable of doing such tasks - can probably be \
built for cheap or free (or pulled out of the closet, in the case of some people).
> 
> > joanna.
> 
> Tobias
> 
> -- 
> "Programming today is a race between software engineers striving to
> build bigger and better idiot-proof programs, and the Universe trying
> to produce bigger and better idiots. So far, the Universe is winning."
> - Rich Cook

[Attachment #5 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" \
"http://www.w3.org/TR/html4/loose.dtd"> <html><head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="generator" content="Osso Notes">
    <title></title></head>
<body>
<p>----- Original message -----
<br>&gt; Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
<br>&gt; &gt; On 05/26/2010 02:55 PM, Tobias Ellinghaus wrote:
<br>&gt; &gt; &gt; Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
<br>&gt; &gt; &gt; 
<br>&gt; &gt; &gt; [...]
<br>&gt; &gt; &gt; 
<br>&gt; &gt; &gt; &gt; Digital Signatures can prove that a given file is authentic, \
i.e. <br>&gt; &gt; &gt; &gt; that is has been indeed created by a person that signed \
it (e.g. <br>&gt; &gt; &gt; &gt; KDE release manager), and that its contents has not \
been tampered <br>&gt; &gt; &gt; &gt; since then.
<br>&gt; &gt; &gt; 
<br>&gt; &gt; &gt; No, it only proves that a specific key has been used to sign the \
file <br>&gt; &gt; &gt; (provided that it's hard to forge the signature). It does not \
prove <br>&gt; &gt; &gt; whether the user or a virus, someone who stole/found the \
key, … <br>&gt; &gt; &gt; signed it.
<br>&gt; &gt; 
<br>&gt; &gt; That's absolutely true. That's why security of the desktop OS is so
<br>&gt; &gt; important. But I made a (silent) assumption that any serious
<br>&gt; &gt; developer/package manager, would be using a dedicated machine for
<br>&gt; &gt; development/packaging/signing. Specifically would not be using the same
<br>&gt; &gt; machine for also browsing the Web, etc.
<br>&gt; 
<br>&gt; I dare to doubt that many developers can or want to afford the expenses
<br>&gt; and&nbsp; &#32;hassle to have an extra computer standing around just for \
signing <br>&gt; and stuff.
<br>I would also note that one wouldn't need anything expensive for merely signing \
tarballs; an older machine - more than capable of doing such tasks - can probably be \
built for cheap or free (or pulled out of the closet, in the case of some people). \
<br>&gt;  <br>&gt; &gt; joanna.
<br>&gt; 
<br>&gt; Tobias
<br>&gt; 
<br>&gt; -- 
<br>&gt; "Programming today is a race between software engineers striving to
<br>&gt; build bigger and better idiot-proof programs, and the Universe trying
<br>&gt; to produce bigger and better idiots. So far, the Universe is winning."
<br>&gt; - Rich Cook
<br><br></p>
</body>
</html>

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread] 