Proposal: Implementing signing process for official tarballs (try #1)
Dirk Mueller
mueller at kde.org
Fri May 28 23:32:58 CEST 2010
On Wednesday 26 May 2010, Joanna Rutkowska wrote:
> Digital Signatures do *not* prove any other property, e.g. that the file
> is not malicious. In fact there is nothing that could stop people from
> signing a malicious program, and it even happens from time to time in
> reality.
Well,in fact we had gpg signatures for KDE releases up to 3.5.7, with a
published gpg key (up to 2007). Somewhen around that I forgot the passphrase
to the key, so I had to stop using it. It wasn't compromised, in fact it is
still sitting on a special machine that I haven't used for anything else
(meanwhile I don't think it boots anymore, at least I haven't tried for
several years). I will also not be able to recover the passphrase as it was
fairly long so a brute-force attack is not going to get anywhere.
I'm fine with providing a signature again, but fact is that nobody requested
them again so far. Just providing the md5sums on the website was enough so far
- people are mostly concerned about incomplete/wrong downloads rather than
malicious attacks.
Greetings,
Dirk
More information about the release-team
mailing list