ATT: svn.kde.org has been updated
Martijn Klingens
klingens at kde.org
Tue Apr 12 10:08:19 BST 2005
On Monday 11 April 2005 23:34, Ingo Klöcker wrote:
> The fingerprint can be clearsigned by anybody who has access to the
> certificate and can thus verify the MD5 digest of the certificate, i.e.
> by anybody who has admin rights on the svn server. So the fingerprint
> could be approved by several OpenPGP keys, not just mine.
That'd be a good alternative actually.
> [...] although I don't think it's really necessary. I mean did anybody
> of you doing cvs via ssh verify that you were really talking to the right
> ssh server or did you simply accept the ssh server's certificate?
I'd hope so for those who have the rights to commit to places like admin/ and
CVSROOT/.
I don't really care for normal code, because it's easy to revert a malicious
commit (heck, i'm still using pserver myself). Malicious commits to admin/
and CVSROOT can have a much bigger and more disastrous impact.
Admitted, the handful of people who can commit there can also use GPG-signed
signatures because they all have eachother's keys. Not getting a popup in
Konq about certificates being self-signed e.g. when browsing websvn would
still seem more professional to me though.
--
Martijn
More information about the kde-core-devel
mailing list