Source Signing

Rolf Eike Beer kde at
Tue Sep 24 11:13:11 BST 2019

Am 2019-09-24 00:30, schrieb Albert Astals Cid:
> El dijous, 19 de setembre de 2019, a les 14:49:53 CEST, Tom Albers va 
> escriure:
>> I'ld also like to add that currently some developers have access to do 
>> releases directly - I've also seen those people putting the files on 
>> the ftp-server for other projects then the original intention had 
>> been.
>> I would like to propose that *all* releases should follow the below 
>> proposal, effectively that would involve that the direct access would 
>> be cancelled for those currently having access to the ftp-server 
>> directly.
>> This means an improved paper trail for those releases too and further 
>> reduces the effect of compromised accounts and / or tarballs.
> -1 this just makes it harder for us that have 200 packages to release
> for no real reason.
> If my gpg/ssh keys gets compromised, what difference does it make that
> i upload directly to the ftp-server or to the "sysadmin please upload
> this" server?

When I read the proposal there is possibly just one thing missing:

If all checks pass (signing etc.) _AND_ the gpg key is already in the 
list of trusted keys, then just do it (no manual verifying needed).

Or am I missing something obvious?


More information about the release-team mailing list