Outdated GPG signing keys info on website
Ben Cooksley
bcooksley at kde.org
Mon Oct 29 07:23:20 GMT 2018
On Mon, Oct 29, 2018 at 11:29 AM Albert Astals Cid <aacid at kde.org> wrote:
>
> El diumenge, 28 d’octubre de 2018, a les 19:31:41 CET, Ben Cooksley va escriure:
> > On Mon, 29 Oct 2018, 01:10 Albert Astals Cid <aacid at kde.org wrote:
> >
> > > El diumenge, 28 d’octubre de 2018, a les 1:43:44 CET, Daniel Vrátil va
> > > escriure:
> > > > Hola!
> > > >
> > > > looking for GPG keys for Applications tarballs signatures,
> > >
> > > They are on the info page of each release, i.e.
> > > https://www.kde.org/info/applications-18.08.0.php
> > >
> > > The tarballs have been signed by Christoph Feck
> > > F23275E4BF10AFC1DF6914A6DBD2CE893E2D1C87.
> > >
> > > > Google has lead me
> > > > to https://kde.org/download/signature.php which contains a pair of
> > > fairly
> > > > outdated GPG keys - I don't know if this site is linked from anywhere,
> > > but IMO
> > > > it should either be updated with keys of people who do sign our tarballs
> > > these
> > > > days or removed completely - it would certainly improve the
> > > trustworthiness of
> > > > the signatures :-)
> > >
> > > They are only linked from a few 3.0.x releases.
> > >
> > > $ wcgrep signature.php
> > > ./download/signature.php:6:<!-- $Id: signature.php 523084 2006-03-27
> > > 11:23:21Z scripty $ -->
> > > ./info/3.0.4.php:35: <a href="http://www.kde.org/download/signature.php">KDE
> > > Signature page</a>
> > > ./info/3.0.2.php:34: <a href="http://www.kde.org/download/signature.php">KDE
> > > Signature page</a>
> > > ./info/3.0.5.php:32: <a href="http://www.kde.org/download/signature.php">KDE
> > > Signature page</a>
> > > ./info/3.0.3.php:35: <a href="http://www.kde.org/download/signature.php">KDE
> > > Signature page</a>
> > > ./info/3.0.5a.php:32: <a href="http://www.kde.org/download/signature.php">KDE
> > > Signature page</a>
> > >
> > > Given that those tarbals are no longer accessible on the web (which i find
> > > weird we remove stuff but that's how it is) I guess we can just remove that
> > > line and the page altogether.
> > >
> >
> > The removal of things was an old policy and something which is no longer
> > followed.
> >
> > Things get moved to the Attic now instead: https://download.kde.org/Attic/
>
> Cool :)
>
> > (this is necessary as we have an agreement with our mirrors to keep stable/
> > within a certain size range)
>
> Makes sense :)
>
> Do you think there is any chance in which we could do some magic so if that people try to access https://download.kde.org/stable/applications/17.12.2/ they get sent to the Attic ?
Apache says yes.
# If something has moved to the attic, and someone tries to access
it at the old location, try to help them to it
RewriteCond %{DOCUMENT_ROOT}/stable/$1 !-f
RewriteCond %{DOCUMENT_ROOT}/stable/$1 !-d
RewriteCond %{DOCUMENT_ROOT}/Attic/$1 -f [OR]
RewriteCond %{DOCUMENT_ROOT}/Attic/$1 -d
RewriteRule ^/stable/(.*?)(.mirrorlist|.md5|.sha1|.sha256)?$
/Attic/$1$2 [R=302,L]
This should work now.
Cheers,
Ben
>
> Cheers,
> Albert
>
> >
> >
> > > Cheers,
> > > Albert
> > >
> >
> > Cheers,
> > Ben
> >
> >
> > > >
> > > > Cheers,
> > > > Daniel
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
>
>
>
>
More information about the release-team
mailing list