Outdated GPG signing keys info on website
Albert Astals Cid
aacid at kde.org
Sun Oct 28 22:27:28 GMT 2018
El diumenge, 28 d’octubre de 2018, a les 13:10:38 CET, Albert Astals Cid va escriure:
> El diumenge, 28 d’octubre de 2018, a les 1:43:44 CET, Daniel Vrátil va escriure:
> > Hola!
> >
> > looking for GPG keys for Applications tarballs signatures,
>
> They are on the info page of each release, i.e. https://www.kde.org/info/applications-18.08.0.php
>
> The tarballs have been signed by Christoph Feck F23275E4BF10AFC1DF6914A6DBD2CE893E2D1C87.
>
> > Google has lead me
> > to https://kde.org/download/signature.php which contains a pair of fairly
> > outdated GPG keys - I don't know if this site is linked from anywhere, but IMO
> > it should either be updated with keys of people who do sign our tarballs these
> > days or removed completely - it would certainly improve the trustworthiness of
> > the signatures :-)
>
> They are only linked from a few 3.0.x releases.
>
> $ wcgrep signature.php
> ./download/signature.php:6:<!-- $Id: signature.php 523084 2006-03-27 11:23:21Z scripty $ -->
> ./info/3.0.4.php:35: <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> ./info/3.0.2.php:34: <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> ./info/3.0.5.php:32: <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> ./info/3.0.3.php:35: <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
> ./info/3.0.5a.php:32: <a href="http://www.kde.org/download/signature.php">KDE Signature page</a>
>
> Given that those tarbals are no longer accessible on the web (which i find weird we remove stuff but that's how it is) I guess we can just remove that line and the page altogether.
Done
>
> Cheers,
> Albert
>
> >
> > Cheers,
> > Daniel
> >
> >
> >
>
>
>
>
More information about the release-team
mailing list