Should we stop distributing source tarballs?

Ben Cooksley bcooksley at
Sat Apr 6 03:47:27 BST 2024

On Sat, Apr 6, 2024 at 4:23 AM Johannes Zarl-Zierl <johannes at>

> Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan:
> > On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> > > - Tarballs should only be generated in a reproducible manner using
> > > scripts. Ideally by the CI only.
> > > - We should start to sign tarballs in the CI.
> >
> > I disagree. I want my tarball to be signed with my GPG key stored in my
> > Yubiky and not by a generic KDE key. It should be a proof that I as a
> > maintainer of a project did the release and not someone else. Same with
> the
> > upload to, while this adds some overhead in the
> process, I
> > think it is important that KDE Sysadmins are the one who move the tarball
> > to their final location and do some minimal check (checksum match, it's
> not
> > a random person doing the release, ...).
> Signing with a KDE key could have some benefits, though. It's far easier
> for
> distros (or users) to check KDE software against a single, well known key.
> On could mitigate the downside that you mentioned by having the script
> check
> the tag signature against a keyring of trusted keys.

Please see - our process
for validating tarballs for release already includes ensuring the GPG
signatures provided are included in that keyring.
All modern releases of KDE software that come with a GPG signature whose
key is not in that keyring should be rejected.

Developers should also consider adding their keys to Gitlab at
Following this, your GPG key will be published at$username.gpg

> Cheers,
>   Johannes

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the kde-devel mailing list