[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-release-team
Subject: Re: Proposal: Implementing signing process for official tarballs (try
From: Dirk Mueller <mueller () kde ! org>
Date: 2010-05-28 21:32:58
Message-ID: 201005282332.58958.mueller () kde ! org
[Download RAW message or body]
On Wednesday 26 May 2010, Joanna Rutkowska wrote:
> Digital Signatures do *not* prove any other property, e.g. that the file
> is not malicious. In fact there is nothing that could stop people from
> signing a malicious program, and it even happens from time to time in
> reality.
Well,in fact we had gpg signatures for KDE releases up to 3.5.7, with a
published gpg key (up to 2007). Somewhen around that I forgot the passphrase
to the key, so I had to stop using it. It wasn't compromised, in fact it is
still sitting on a special machine that I haven't used for anything else
(meanwhile I don't think it boots anymore, at least I haven't tried for
several years). I will also not be able to recover the passphrase as it was
fairly long so a brute-force attack is not going to get anywhere.
I'm fine with providing a signature again, but fact is that nobody requested
them again so far. Just providing the md5sums on the website was enough so far
- people are mostly concerned about incomplete/wrong downloads rather than
malicious attacks.
Greetings,
Dirk
_______________________________________________
release-team mailing list
release-team@kde.org
https://mail.kde.org/mailman/listinfo/release-team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic