From kde-devel  Thu May 27 16:35:04 2010
From: Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date: Thu, 27 May 2010 16:35:04 +0000
To: kde-devel
Subject: Re: digital signatures for kde sources?
Message-Id: <4BFE9F38.5000001 () invisiblethingslab ! com>
X-MARC-Message: https://marc.info/?l=kde-devel&m=127497799104903
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--===============1891478620=="

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============1891478620==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig236C06ED00EE5C291E95388D"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig236C06ED00EE5C291E95388D
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 05/27/2010 05:50 PM, Jonathan Raphael Joachim Kolberg wrote:
> Am Mittwoch 26 Mai 2010 17:25:48 =C5=BFchrieb Arno Rehn:
>> Couldn't you just checkout the appropiate tag from KDE's svn repositor=
y,
>> using svn+ssh? You're connection would then be secure and SVN commits
>> themselves are constantly checked by people watching the kde-commits M=
L.
> That=E2=80=99s an good point.
>=20

Not really:

First, most users would not be able to verify the ssh's fingerprint. In
order to let users to do it correctly, you would need to take the same
actions as are required with making the signing keys verifiable [1].

Second, this doesn't protect you against SVN server compromises. In that
case the attacker is able to selectively subvert the sources only to
some users, making it nearly impossible for the community to spot the
attacks.

Third, it is really the release manager's job to fetch the sources from
the repository, verify them, and pack them as a tarball or some other
packages. And sign them afterwards. See [1] for more details about what
the release manager should do.

joanna.

[1] http://mail.kde.org/pipermail/release-team/2010-May/003890.html


--------------enig236C06ED00EE5C291E95388D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv+nz0ACgkQORdkotfEW84vpwCgqj6jCPq09VDZ/9kB/k7XZyOd
160AoNe3HLPbt8sWJeFccnoXxwBTYBoj
=ADVE
-----END PGP SIGNATURE-----

--------------enig236C06ED00EE5C291E95388D--

--===============1891478620==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

--===============1891478620==--