[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Should we stop distributing source tarballs?
From: Johannes Zarl-Zierl <johannes () zarl-zierl ! at>
Date: 2024-04-05 15:22:56
Message-ID: 1890167.OmeMTN2Xfc () jo2021
[Download RAW message or body]
Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan:
> On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> > - Tarballs should only be generated in a reproducible manner using
> > scripts. Ideally by the CI only.
> > - We should start to sign tarballs in the CI.
>
> I disagree. I want my tarball to be signed with my GPG key stored in my
> Yubiky and not by a generic KDE key. It should be a proof that I as a
> maintainer of a project did the release and not someone else. Same with the
> upload to download.kde.org, while this adds some overhead in the process, I
> think it is important that KDE Sysadmins are the one who move the tarball
> to their final location and do some minimal check (checksum match, it's not
> a random person doing the release, ...).
Signing with a KDE key could have some benefits, though. It's far easier for
distros (or users) to check KDE software against a single, well known key.
On could mitigate the downside that you mentioned by having the script check
the tag signature against a keyring of trusted keys.
Cheers,
Johannes
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic