kdeplanet article: adridg: KDE source signing
Duncan
1i5t5.duncan at cox.net
Thu Apr 22 22:37:21 BST 2010
I found this article by ade/adridg (Adriaan de Groot) on planetkde today,
and thought it rather interesting. Apparently, the 4.4 tarballs, at
least, haven't been signed, while 3.5.9 had at least md5sums, and the
older still 3.5 had md5sums AND *.asc gpg signatures.
Adridg says she'll be checking with the kde sysadmins...
Gentoo of course uses source packages, but they hash (with signing the
gentoo ebuilds and tree a work in progress) them too, and part of the
package manager system verifies the hashes. But I hadn't thought that kde
might not be verifying the source tarballs, themselves, leaving the gentoo/
kde devs to provide their own verification.
Obviously this is somewhat disturbing. I'm glad someone noticed the issue
and is investigating, now.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
___________________________________________________
This message is from the kde mailing list.
Account management: https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.
More information about the kde
mailing list