Outdated GPG signing keys info on website

Albert Astals Cid aacid at kde.org
Sun Oct 28 22:27:28 GMT 2018


El diumenge, 28 d’octubre de 2018, a les 13:10:38 CET, Albert Astals Cid va escriure:
> El diumenge, 28 d’octubre de 2018, a les 1:43:44 CET, Daniel Vrátil va escriure:
> > Hola!
> > 
> > looking for GPG keys for Applications tarballs signatures, 
> 
> They are on the info page of each release, i.e. https://www.kde.org/info/applications-18.08.0.php
> 
> 	The tarballs have been signed by Christoph Feck F23275E4BF10AFC1DF6914A6DBD2CE893E2D1C87. 
> 
> > Google has lead me 
> > to https://kde.org/download/signature.php which contains a pair of fairly 
> > outdated GPG keys - I don't know if this site is linked from anywhere, but IMO 
> > it should either be updated with keys of people who do sign our tarballs these 
> > days or removed completely - it would certainly improve the trustworthiness of 
> > the signatures :-)
> 
> They are only linked from a few 3.0.x releases.
> 
> $ wcgrep signature.php
> ./download/signature.php:6:<!-- $Id: signature.php 523084 2006-03-27 11:23:21Z scripty $ -->
> ./info/3.0.4.php:35:  <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> ./info/3.0.2.php:34:  <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> ./info/3.0.5.php:32:  <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> ./info/3.0.3.php:35:  <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> ./info/3.0.5a.php:32:  <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> 
> Given that those tarbals are no longer accessible on the web (which i find weird we remove stuff but that's how it is) I guess we can just remove that line and the page altogether.

Done

> 
> Cheers,
>   Albert
> 
> > 
> > Cheers,
> > Daniel
> > 
> > 
> > 
> 
> 
> 
> 






More information about the release-team mailing list