Should we stop distributing source tarballs?

Sven Brauch mail at svenbrauch.de
Sat Apr 6 17:22:22 BST 2024


Hi,

On 06.04.24 13:07, Marc Deop i Argemí wrote:
> If you automate things, everything can be reviewed/validated by more than one
> entity and thus increasing security.
> 
> The CI can be reviewed and audited but your personal laptop and your workflow
> cannot.

This is basically a discussion about whether it is less risky to trust 
the individual developers, or the people with access to the CI signing 
key. You are trading likeliness of there being one bad actor vs. impact 
one bad actor can have. It's a matter of personal opinion; there is no 
right or wrong choice here.

Whenever one option goes wrong, it will be easy to argue for changing to 
the other, until that one goes wrong, at which point you can change back. ;)

IMO the only actual improvement here would be reproducible tarballing: 
if each run of the packaging script produces the same result on all 
systems, the maintainers can locally build the tarball, sign the hash, 
upload the signature, then have the CI system build the same tarball and 
sign it again. Then KDE publishes both signatures and downstreams check 
them both.

I don't know how hard that would be to achieve technically, several 
obstacles come to mind immediately. But it would actually increase trust 
instead of just moving it around.

Greetings,
Sven
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xA4AAD0019BE03F15.asc
Type: application/pgp-keys
Size: 3147 bytes
Desc: OpenPGP public key
URL: <http://mail.kde.org/pipermail/kde-devel/attachments/20240406/23f48e11/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mail.kde.org/pipermail/kde-devel/attachments/20240406/23f48e11/attachment.sig>


More information about the kde-devel mailing list