'Re: Should we stop distributing source tarballs?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Should we stop distributing source tarballs?
From:       Ben Cooksley <bcooksley () kde ! org>
Date:       2024-04-06 2:47:27
Message-ID: CA+XidOFh8JScdMJQ7CRuqrZOqq0MkwaG-h62Vi-HvxTQUEEnOQ () mail ! gmail ! com
[Download RAW message or body]

On Sat, Apr 6, 2024 at 4:23 AM Johannes Zarl-Zierl <johannes@zarl-zierl.at>
wrote:

> Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan:
> > On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> > > - Tarballs should only be generated in a reproducible manner using
> > > scripts. Ideally by the CI only.
> > > - We should start to sign tarballs in the CI.
> >
> > I disagree. I want my tarball to be signed with my GPG key stored in my
> > Yubiky and not by a generic KDE key. It should be a proof that I as a
> > maintainer of a project did the release and not someone else. Same with
> the
> > upload to download.kde.org, while this adds some overhead in the
> process, I
> > think it is important that KDE Sysadmins are the one who move the tarball
> > to their final location and do some minimal check (checksum match, it's
> not
> > a random person doing the release, ...).
>
> Signing with a KDE key could have some benefits, though. It's far easier
> for
> distros (or users) to check KDE software against a single, well known key.
>
> On could mitigate the downside that you mentioned by having the script
> check
> the tag signature against a keyring of trusted keys.
>

Please see https://invent.kde.org/sysadmin/release-keyring/ - our process
for validating tarballs for release already includes ensuring the GPG
signatures provided are included in that keyring.
All modern releases of KDE software that come with a GPG signature whose
key is not in that keyring should be rejected.

Developers should also consider adding their keys to Gitlab at
https://invent.kde.org/-/profile/gpg_keys
Following this, your GPG key will be published at
https://invent.kde.org/$username.gpg


>
> Cheers,
>   Johannes


Cheers,
Ben

[Attachment #3 (text/html)]

<div dir="ltr"><div dir="ltr">On Sat, Apr 6, 2024 at 4:23 AM Johannes Zarl-Zierl \
&lt;<a href="mailto:johannes@zarl-zierl.at">johannes@zarl-zierl.at</a>&gt; \
wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Am Freitag, 5. April 2024, 13:45:35 CEST schrieb \
Carl Schwan:<br> &gt; On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora \
wrote:<br> &gt; &gt; - Tarballs should only be generated in a reproducible manner \
using<br> &gt; &gt; scripts. Ideally by the CI only.<br>
&gt; &gt; - We should start to sign tarballs in the CI.<br>
&gt; <br>
&gt; I disagree. I want my tarball to be signed with my GPG key stored in my<br>
&gt; Yubiky and not by a generic KDE key. It should be a proof that I as a<br>
&gt; maintainer of a project did the release and not someone else. Same with the<br>
&gt; upload to <a href="http://download.kde.org" rel="noreferrer" \
target="_blank">download.kde.org</a>, while this adds some overhead in the process, \
I<br> &gt; think it is important that KDE Sysadmins are the one who move the \
tarball<br> &gt; to their final location and do some minimal check (checksum match, \
it&#39;s not<br> &gt; a random person doing the release, ...).<br>
<br>
Signing with a KDE key could have some benefits, though. It&#39;s far easier for <br>
distros (or users) to check KDE software against a single, well known key.<br>
<br>
On could mitigate the downside that you mentioned by having the script check <br>
the tag signature against a keyring of trusted \
keys.<br></blockquote><div><br></div><div>Please see  <a \
href="https://invent.kde.org/sysadmin/release-keyring/">https://invent.kde.org/sysadmin/release-keyring/</a> \
- our process for validating tarballs for release already includes ensuring the GPG \
signatures provided are included in that keyring.</div><div>All modern releases of \
KDE software that come with a GPG signature whose key is not in that keyring should \
be rejected.</div><div><br></div><div>Developers should also consider adding their \
keys to Gitlab at  <a \
href="https://invent.kde.org/-/profile/gpg_keys">https://invent.kde.org/-/profile/gpg_keys</a></div><div>Following \
this, your GPG key will be published at <a \
href="https://invent.kde.org/$username.gpg">https://invent.kde.org/$username.gpg</a></div><div> \
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex"> <br>
Cheers,<br>
   Johannes</blockquote><div><br></div><div>Cheers,</div><div>Ben</div></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic