[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Should we stop distributing source tarballs?
From:       Marc Deop i =?ISO-8859-1?Q?Argem=ED?= <kde () marcdeop ! com>
Date:       2024-04-07 13:55:09
Message-ID: 2755982.vuYhMxLoTh () marc-xps15
[Download RAW message or body]


On Saturday, 6 April 2024 18:22:22 CEST Sven Brauch wrote:
> This is basically a discussion about whether it is less risky to trust
> the individual developers, or the people with access to the CI signing
> key. You are trading likeliness of there being one bad actor vs. impact
> one bad actor can have. It's a matter of personal opinion; there is no
> right or wrong choice here.

No, it is not.

The key is that the infrastructure creation needs to also be automated. 

Once you have the *bootstrap* , you can trust the automation because you can 
review and audit it ( to a certain degree, of course, there is nothing bullet 
proof).

I have been surprised for years on how the KDE infrastructure is handled (so 
many things done manually) but as I am not _in_ I cannot really judge because 
I don't know all of the circumstances and context.

Best regards

Marc
["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]