[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Should we stop distributing source tarballs?
From:       Johannes Zarl-Zierl <johannes () zarl-zierl ! at>
Date:       2024-04-05 15:22:56
Message-ID: 1890167.OmeMTN2Xfc () jo2021
[Download RAW message or body]


Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan:
> On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> > - Tarballs should only be generated in a reproducible manner using
> > scripts. Ideally by the CI only.
> > - We should start to sign tarballs in the CI.
> 
> I disagree. I want my tarball to be signed with my GPG key stored in my
> Yubiky and not by a generic KDE key. It should be a proof that I as a
> maintainer of a project did the release and not someone else. Same with the
> upload to download.kde.org, while this adds some overhead in the process, I
> think it is important that KDE Sysadmins are the one who move the tarball
> to their final location and do some minimal check (checksum match, it's not
> a random person doing the release, ...).

Signing with a KDE key could have some benefits, though. It's far easier for 
distros (or users) to check KDE software against a single, well known key.

On could mitigate the downside that you mentioned by having the script check 
the tag signature against a keyring of trusted keys.

Cheers,
  Johannes
["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]