[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-release-team
Subject:    Re: Source Signing
From:       Rolf Eike Beer <kde () opensource ! sf-tec ! de>
Date:       2019-09-24 10:13:11
Message-ID: ff899bf2fc796f889f34452b910c52cd () opensource ! sf-tec ! de
[Download RAW message or body]

Am 2019-09-24 00:30, schrieb Albert Astals Cid:
> El dijous, 19 de setembre de 2019, a les 14:49:53 CEST, Tom Albers va 
> escriure:
>> I'ld also like to add that currently some developers have access to do 
>> releases directly - I've also seen those people putting the files on 
>> the ftp-server for other projects then the original intention had 
>> been.
>> 
>> I would like to propose that *all* releases should follow the below 
>> proposal, effectively that would involve that the direct access would 
>> be cancelled for those currently having access to the ftp-server 
>> directly.
>> This means an improved paper trail for those releases too and further 
>> reduces the effect of compromised accounts and / or tarballs.
> 
> -1 this just makes it harder for us that have 200 packages to release
> for no real reason.
> 
> If my gpg/ssh keys gets compromised, what difference does it make that
> i upload directly to the ftp-server or to the "sysadmin please upload
> this" server?

When I read the proposal there is possibly just one thing missing:

If all checks pass (signing etc.) _AND_ the gpg key is already in the 
list of trusted keys, then just do it (no manual verifying needed).

Or am I missing something obvious?

Eike
[prev in list] [next in list] [prev in thread] [next in thread]