[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: KNewStuff and GPG question
From:       Andras Mantia <amantia () kde ! org>
Date:       2010-07-23 7:54:02
Message-ID: 201007231054.09760.amantia () kde ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Hi,

On Friday 23 July 2010, Frederik Gladhorn wrote:
> Hi Andras,
> I am all for it, don't get me wrong. It's great to hear that you have
> experience with this. How did  you handle the signatures? Was there a
> sort of keyring?

It was done in the same way as it is for mails. After all it is similar. 
Anybody (well, any uploader) can sign the packages. This doesn't give 
protection by itself. But the downloader gets an information about who 
signed the package. If the signature is trusted (ie, he met the uploader 
in person or verified in another way that the signature indeed belongs to 
a person who is trusted), there is nothing he has to do. If the 
signature is not trusted, he gets a warning (with the signature 
information) and installation of the stuff happens only if the downloader 
explicitely accepts it.

> to the way gpg and emails work. But then it only works for users
> that go to keysigning parties, doesn't it?

This depends on the downloader standards. I might not met in person a 
certain developer/uploader, but might still trust him based on his past 
experience. Like Quanta users would probably trust packages uploaded by 
Quanta developers.

AFAIK the only issue with the old implementation  was that it used the 
gpg executable instead of the gpgme++ library, because the latter was 
GPL, not LGPL. As I see they are now LGPL and in kdepimlibs, so a 
solution would be to use it.

Andras

["signature.asc" (application/pgp-signature)]

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<


[prev in list] [next in list] [prev in thread] [next in thread]