Should we stop distributing source tarballs?

Johannes Zarl-Zierl johannes at zarl-zierl.at
Fri Apr 5 16:22:56 BST 2024


Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan:
> On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> > - Tarballs should only be generated in a reproducible manner using
> > scripts. Ideally by the CI only.
> > - We should start to sign tarballs in the CI.
> 
> I disagree. I want my tarball to be signed with my GPG key stored in my
> Yubiky and not by a generic KDE key. It should be a proof that I as a
> maintainer of a project did the release and not someone else. Same with the
> upload to download.kde.org, while this adds some overhead in the process, I
> think it is important that KDE Sysadmins are the one who move the tarball
> to their final location and do some minimal check (checksum match, it's not
> a random person doing the release, ...).

Signing with a KDE key could have some benefits, though. It's far easier for 
distros (or users) to check KDE software against a single, well known key.

On could mitigate the downside that you mentioned by having the script check 
the tag signature against a keyring of trusted keys.

Cheers,
  Johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-devel/attachments/20240405/dae4ef4b/attachment.sig>


More information about the kde-devel mailing list