[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-release-team
Subject: Re: Outdated GPG signing keys info on website
From: Ben Cooksley <bcooksley () kde ! org>
Date: 2018-10-28 18:31:41
Message-ID: CA+XidOFoz7THmmp9atSejd+ubE7fP2ddHr64+chBBk9tuRphuw () mail ! gmail ! com
[Download RAW message or body]
On Mon, 29 Oct 2018, 01:10 Albert Astals Cid <aacid@kde.org wrote:
> El diumenge, 28 d'octubre de 2018, a les 1:43:44 CET, Daniel Vrátil va
> escriure:
> > Hola!
> >
> > looking for GPG keys for Applications tarballs signatures,
>
> They are on the info page of each release, i.e.
> https://www.kde.org/info/applications-18.08.0.php
>
> The tarballs have been signed by Christoph Feck
> F23275E4BF10AFC1DF6914A6DBD2CE893E2D1C87.
>
> > Google has lead me
> > to https://kde.org/download/signature.php which contains a pair of
> fairly
> > outdated GPG keys - I don't know if this site is linked from anywhere,
> but IMO
> > it should either be updated with keys of people who do sign our tarballs
> these
> > days or removed completely - it would certainly improve the
> trustworthiness of
> > the signatures :-)
>
> They are only linked from a few 3.0.x releases.
>
> $ wcgrep signature.php
> ./download/signature.php:6:<!-- $Id: signature.php 523084 2006-03-27
> 11:23:21Z scripty $ -->
> ./info/3.0.4.php:35: <a href="http://www.kde.org/download/signature.php">KDE
> Signature page</a>
> ./info/3.0.2.php:34: <a href="http://www.kde.org/download/signature.php">KDE
> Signature page</a>
> ./info/3.0.5.php:32: <a href="http://www.kde.org/download/signature.php">KDE
> Signature page</a>
> ./info/3.0.3.php:35: <a href="http://www.kde.org/download/signature.php">KDE
> Signature page</a>
> ./info/3.0.5a.php:32: <a href="http://www.kde.org/download/signature.php">KDE
> Signature page</a>
>
> Given that those tarbals are no longer accessible on the web (which i find
> weird we remove stuff but that's how it is) I guess we can just remove that
> line and the page altogether.
>
The removal of things was an old policy and something which is no longer
followed.
Things get moved to the Attic now instead: https://download.kde.org/Attic/
(this is necessary as we have an agreement with our mirrors to keep stable/
within a certain size range)
> Cheers,
> Albert
>
Cheers,
Ben
> >
> > Cheers,
> > Daniel
> >
> >
> >
>
>
>
>
>
[Attachment #3 (text/html)]
<div dir="auto"><div><div class="gmail_quote"><div dir="ltr">On Mon, 29 Oct 2018, \
01:10 Albert Astals Cid <<a href="mailto:aacid@kde.org">aacid@kde.org</a> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">El diumenge, 28 d'octubre de 2018, \
a les 1:43:44 CET, Daniel Vrátil va escriure:<br> > Hola!<br>
> <br>
> looking for GPG keys for Applications tarballs signatures, <br>
<br>
They are on the info page of each release, i.e. <a \
href="https://www.kde.org/info/applications-18.08.0.php" rel="noreferrer noreferrer" \
target="_blank">https://www.kde.org/info/applications-18.08.0.php</a><br> <br>
The tarballs have been signed by Christoph Feck \
F23275E4BF10AFC1DF6914A6DBD2CE893E2D1C87. <br> <br>
> Google has lead me <br>
> to <a href="https://kde.org/download/signature.php" rel="noreferrer noreferrer" \
target="_blank">https://kde.org/download/signature.php</a> which contains a pair of \
fairly <br> > outdated GPG keys - I don't know if this site is linked from \
anywhere, but IMO <br> > it should either be updated with keys of people who do \
sign our tarballs these <br> > days or removed completely - it would certainly \
improve the trustworthiness of <br> > the signatures :-)<br>
<br>
They are only linked from a few 3.0.x releases.<br>
<br>
$ wcgrep signature.php<br>
./download/signature.php:6:<!-- $Id: signature.php 523084 2006-03-27 11:23:21Z \
scripty $ --><br>
./info/3.0.4.php:35: <a href="<a \
href="http://www.kde.org/download/signature.php" rel="noreferrer noreferrer" \
target="_blank">http://www.kde.org/download/signature.php</a>">KDE Signature \
page</a><br>
./info/3.0.2.php:34: <a href="<a \
href="http://www.kde.org/download/signature.php" rel="noreferrer noreferrer" \
target="_blank">http://www.kde.org/download/signature.php</a>">KDE Signature \
page</a><br>
./info/3.0.5.php:32: <a href="<a \
href="http://www.kde.org/download/signature.php" rel="noreferrer noreferrer" \
target="_blank">http://www.kde.org/download/signature.php</a>">KDE Signature \
page</a><br>
./info/3.0.3.php:35: <a href="<a \
href="http://www.kde.org/download/signature.php" rel="noreferrer noreferrer" \
target="_blank">http://www.kde.org/download/signature.php</a>">KDE Signature \
page</a><br>
./info/3.0.5a.php:32: <a href="<a \
href="http://www.kde.org/download/signature.php" rel="noreferrer noreferrer" \
target="_blank">http://www.kde.org/download/signature.php</a>">KDE Signature \
page</a><br> <br>
Given that those tarbals are no longer accessible on the web (which i find weird we \
remove stuff but that's how it is) I guess we can just remove that line and the \
page altogether.<br></blockquote></div></div><div dir="auto"><br></div><div \
dir="auto">The removal of things was an old policy and something which is no longer \
followed.</div><div dir="auto"><br></div><div dir="auto">Things get moved to the \
Attic now instead: <a \
href="https://download.kde.org/Attic/">https://download.kde.org/Attic/</a></div><div \
dir="auto"><br></div><div dir="auto">(this is necessary as we have an agreement with \
our mirrors to keep stable/ within a certain size range)</div><div \
dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <br>
Cheers,<br>
Albert<br></blockquote></div></div><div dir="auto"><br></div><div \
dir="auto">Cheers,</div><div dir="auto">Ben</div><div dir="auto"><br></div><div \
dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 \
0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
> <br>
> Cheers,<br>
> Daniel<br>
> <br>
> <br>
> <br>
<br>
<br>
<br>
<br>
</blockquote></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic