tarball signing

Sandro KnauƟ knauss at kolabsys.com
Fri Jun 3 22:18:44 UTC 2016


Hey,


> Does that really fix anything if noone has my gpg key in the
> trusted/validated signatures area? How do they know it's me that signed the
> package and not some hacker that got access to the server and did sign the
> tarballs?

On the one side, if the privatekey is easy to grab, it does not help improving 
security, but if the private key, lifes at only on a specifc secured computer 
it would help a lot. 

One major thing is that I can easily see, that it is the same key used as for 
the release before. I can be sure, that nobody changed the tarballs at the 
server after they were pushed. And this is realy a security issue, it happens 
for other opensource projects. And also if I would create a gpgkey with the 
same name, other would see, that a different key was used. We can publish the 
release key website, keyserver make prints on akademy,...

So at first it is the tofu security model, but with time we can improve the 
security.

Regards,

sandro


More information about the release-team mailing list