--===============1031722270==
Content-Type: multipart/signed;
  boundary="nextPart2418559.EECMT53REK";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

--nextPart2418559.EECMT53REK
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,

On Friday 23 July 2010, Frederik Gladhorn wrote:
> Hi Andras,
> I am all for it, don't get me wrong. It's great to hear that you have
> experience with this. How did  you handle the signatures? Was there a
> sort of keyring?

It was done in the same way as it is for mails. After all it is similar.=20
Anybody (well, any uploader) can sign the packages. This doesn't give=20
protection by itself. But the downloader gets an information about who=20
signed the package. If the signature is trusted (ie, he met the uploader=20
in person or verified in another way that the signature indeed belongs to=20
a person who is trusted), there is nothing he has to do. If the=20
signature is not trusted, he gets a warning (with the signature=20
information) and installation of the stuff happens only if the downloader=20
explicitely accepts it.

> to the way gpg and emails work. But then it only works for users
> that go to keysigning parties, doesn't it?

This depends on the downloader standards. I might not met in person a=20
certain developer/uploader, but might still trust him based on his past=20
experience. Like Quanta users would probably trust packages uploaded by=20
Quanta developers.

AFAIK the only issue with the old implementation  was that it used the=20
gpg executable instead of the gpgme++ library, because the latter was=20
GPL, not LGPL. As I see they are now LGPL and in kdepimlibs, so a=20
solution would be to use it.

Andras

--nextPart2418559.EECMT53REK
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iD8DBQBMSUqfTQdfac6L/08RAhN2AJ4yTygFNC66euTs4I/B4fwFVFpjsACg2PlO
sQ1ZdrMaJE2UH8WoDv5zOUM=
=IJ9o
-----END PGP SIGNATURE-----

--nextPart2418559.EECMT53REK--

--===============1031722270==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

--===============1031722270==--