kde sources not signed any more?

Thomas Zeitlhofer thomas.zeitlhofer at nt.tuwien.ac.at
Fri Apr 18 00:27:54 CEST 2008


Hello Dirk,

On Thu, Apr 17, 2008 at 12:03:28PM +0200, Dirk Mueller wrote:
> On Sunday 09 March 2008, Sebastian Kuegler wrote:
> 
> > As I'm not familiar with the process of creating and signing tarballs, I'm
> > CC:ing your question to the release team mailinglist.
> 
> just for time reasons, and it wasn't that much requested so far. the way to 
> verify the download is by comparing the md5sum with the information listed on 
> http://www.kde.org/info/<version number>.php

in contrast to PGP signatures, the authenticity of this page cannot be
verified (also no ssl certificate). So this does not allow to "really"
verify the sources.

Therefore, it would be nice if the sources could be signed again (as it
was the case up to version 3.5.7).

Regards,

Thomas


More information about the release-team mailing list