[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Should we stop distributing source tarballs?
From: Marc Deop i =?ISO-8859-1?Q?Argem=ED?= <kde () marcdeop ! com>
Date: 2024-04-07 13:55:09
Message-ID: 2755982.vuYhMxLoTh () marc-xps15
[Download RAW message or body]
On Saturday, 6 April 2024 18:22:22 CEST Sven Brauch wrote:
> This is basically a discussion about whether it is less risky to trust
> the individual developers, or the people with access to the CI signing
> key. You are trading likeliness of there being one bad actor vs. impact
> one bad actor can have. It's a matter of personal opinion; there is no
> right or wrong choice here.
No, it is not.
The key is that the infrastructure creation needs to also be automated.
Once you have the *bootstrap* , you can trust the automation because you can
review and audit it ( to a certain degree, of course, there is nothing bullet
proof).
I have been surprised for years on how the KDE infrastructure is handled (so
many things done manually) but as I am not _in_ I cannot really judge because
I don't know all of the circumstances and context.
Best regards
Marc
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic