[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Should we stop distributing source tarballs?
From: Ben Cooksley <bcooksley () kde ! org>
Date: 2024-04-06 2:47:27
Message-ID: CA+XidOFh8JScdMJQ7CRuqrZOqq0MkwaG-h62Vi-HvxTQUEEnOQ () mail ! gmail ! com
[Download RAW message or body]
On Sat, Apr 6, 2024 at 4:23 AM Johannes Zarl-Zierl <johannes@zarl-zierl.at>
wrote:
> Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan:
> > On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> > > - Tarballs should only be generated in a reproducible manner using
> > > scripts. Ideally by the CI only.
> > > - We should start to sign tarballs in the CI.
> >
> > I disagree. I want my tarball to be signed with my GPG key stored in my
> > Yubiky and not by a generic KDE key. It should be a proof that I as a
> > maintainer of a project did the release and not someone else. Same with
> the
> > upload to download.kde.org, while this adds some overhead in the
> process, I
> > think it is important that KDE Sysadmins are the one who move the tarball
> > to their final location and do some minimal check (checksum match, it's
> not
> > a random person doing the release, ...).
>
> Signing with a KDE key could have some benefits, though. It's far easier
> for
> distros (or users) to check KDE software against a single, well known key.
>
> On could mitigate the downside that you mentioned by having the script
> check
> the tag signature against a keyring of trusted keys.
>
Please see https://invent.kde.org/sysadmin/release-keyring/ - our process
for validating tarballs for release already includes ensuring the GPG
signatures provided are included in that keyring.
All modern releases of KDE software that come with a GPG signature whose
key is not in that keyring should be rejected.
Developers should also consider adding their keys to Gitlab at
https://invent.kde.org/-/profile/gpg_keys
Following this, your GPG key will be published at
https://invent.kde.org/$username.gpg
>
> Cheers,
> Johannes
Cheers,
Ben
[Attachment #3 (text/html)]
<div dir="ltr"><div dir="ltr">On Sat, Apr 6, 2024 at 4:23 AM Johannes Zarl-Zierl \
<<a href="mailto:johannes@zarl-zierl.at">johannes@zarl-zierl.at</a>> \
wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Am Freitag, 5. April 2024, 13:45:35 CEST schrieb \
Carl Schwan:<br> > On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora \
wrote:<br> > > - Tarballs should only be generated in a reproducible manner \
using<br> > > scripts. Ideally by the CI only.<br>
> > - We should start to sign tarballs in the CI.<br>
> <br>
> I disagree. I want my tarball to be signed with my GPG key stored in my<br>
> Yubiky and not by a generic KDE key. It should be a proof that I as a<br>
> maintainer of a project did the release and not someone else. Same with the<br>
> upload to <a href="http://download.kde.org" rel="noreferrer" \
target="_blank">download.kde.org</a>, while this adds some overhead in the process, \
I<br> > think it is important that KDE Sysadmins are the one who move the \
tarball<br> > to their final location and do some minimal check (checksum match, \
it's not<br> > a random person doing the release, ...).<br>
<br>
Signing with a KDE key could have some benefits, though. It's far easier for <br>
distros (or users) to check KDE software against a single, well known key.<br>
<br>
On could mitigate the downside that you mentioned by having the script check <br>
the tag signature against a keyring of trusted \
keys.<br></blockquote><div><br></div><div>Please see <a \
href="https://invent.kde.org/sysadmin/release-keyring/">https://invent.kde.org/sysadmin/release-keyring/</a> \
- our process for validating tarballs for release already includes ensuring the GPG \
signatures provided are included in that keyring.</div><div>All modern releases of \
KDE software that come with a GPG signature whose key is not in that keyring should \
be rejected.</div><div><br></div><div>Developers should also consider adding their \
keys to Gitlab at <a \
href="https://invent.kde.org/-/profile/gpg_keys">https://invent.kde.org/-/profile/gpg_keys</a></div><div>Following \
this, your GPG key will be published at <a \
href="https://invent.kde.org/$username.gpg">https://invent.kde.org/$username.gpg</a></div><div> \
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex"> <br>
Cheers,<br>
Johannes</blockquote><div><br></div><div>Cheers,</div><div>Ben</div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic