Proposal: Implementing signing process for official tarballs (try #1)

Dirk Mueller mueller at
Fri May 28 23:32:58 CEST 2010

On Wednesday 26 May 2010, Joanna Rutkowska wrote:

> Digital Signatures do *not* prove any other property, e.g. that the file
> is not malicious. In fact there is nothing that could stop people from
> signing a malicious program, and it even happens from time to time in
> reality.

Well,in  fact we had gpg signatures for KDE releases up to 3.5.7, with a 
published gpg key (up to 2007). Somewhen around that I forgot the passphrase 
to the key, so I had to stop using it. It wasn't compromised, in fact it is 
still sitting on a special machine that I haven't used for anything else 
(meanwhile I don't think it boots anymore, at least I haven't tried for 
several years). I will also not be able to recover the passphrase as it was 
fairly long so a brute-force attack is not going to get anywhere. 

I'm fine with providing a signature again, but fact is that nobody requested 
them again so far. Just providing the md5sums on the website was enough so far 
- people are mostly concerned about incomplete/wrong downloads rather than 
malicious attacks. 


More information about the release-team mailing list