Should we stop distributing source tarballs?

Marc Deop i Argemí kde at
Sun Apr 7 14:55:09 BST 2024

On Saturday, 6 April 2024 18:22:22 CEST Sven Brauch wrote:
> This is basically a discussion about whether it is less risky to trust
> the individual developers, or the people with access to the CI signing
> key. You are trading likeliness of there being one bad actor vs. impact
> one bad actor can have. It's a matter of personal opinion; there is no
> right or wrong choice here.

No, it is not.

The key is that the infrastructure creation needs to also be automated. 

Once you have the *bootstrap* , you can trust the automation because you can 
review and audit it ( to a certain degree, of course, there is nothing bullet 

I have been surprised for years on how the KDE infrastructure is handled (so 
many things done manually) but as I am not _in_ I cannot really judge because 
I don't know all of the circumstances and context.

Best regards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the kde-devel mailing list