Source Signing
Rolf Eike Beer
kde at opensource.sf-tec.de
Tue Sep 24 11:13:11 BST 2019
Am 2019-09-24 00:30, schrieb Albert Astals Cid:
> El dijous, 19 de setembre de 2019, a les 14:49:53 CEST, Tom Albers va
> escriure:
>> I'ld also like to add that currently some developers have access to do
>> releases directly - I've also seen those people putting the files on
>> the ftp-server for other projects then the original intention had
>> been.
>>
>> I would like to propose that *all* releases should follow the below
>> proposal, effectively that would involve that the direct access would
>> be cancelled for those currently having access to the ftp-server
>> directly.
>> This means an improved paper trail for those releases too and further
>> reduces the effect of compromised accounts and / or tarballs.
>
> -1 this just makes it harder for us that have 200 packages to release
> for no real reason.
>
> If my gpg/ssh keys gets compromised, what difference does it make that
> i upload directly to the ftp-server or to the "sysadmin please upload
> this" server?
When I read the proposal there is possibly just one thing missing:
If all checks pass (signing etc.) _AND_ the gpg key is already in the
list of trusted keys, then just do it (no manual verifying needed).
Or am I missing something obvious?
Eike
More information about the release-team
mailing list