[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: digital signatures for kde sources?
From:       Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date:       2010-05-27 16:35:04
Message-ID: 4BFE9F38.5000001 () invisiblethingslab ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On 05/27/2010 05:50 PM, Jonathan Raphael Joachim Kolberg wrote:
> Am Mittwoch 26 Mai 2010 17:25:48 ſchrieb Arno Rehn:
>> Couldn't you just checkout the appropiate tag from KDE's svn repository,
>> using svn+ssh? You're connection would then be secure and SVN commits
>> themselves are constantly checked by people watching the kde-commits ML.
> That's an good point.
> 

Not really:

First, most users would not be able to verify the ssh's fingerprint. In
order to let users to do it correctly, you would need to take the same
actions as are required with making the signing keys verifiable [1].

Second, this doesn't protect you against SVN server compromises. In that
case the attacker is able to selectively subvert the sources only to
some users, making it nearly impossible for the community to spot the
attacks.

Third, it is really the release manager's job to fetch the sources from
the repository, verify them, and pack them as a tarball or some other
packages. And sign them afterwards. See [1] for more details about what
the release manager should do.

joanna.

[1] http://mail.kde.org/pipermail/release-team/2010-May/003890.html


["signature.asc" (application/pgp-signature)]

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<


[prev in list] [next in list] [prev in thread] [next in thread]