Hi, On 06.04.24 13:07, Marc Deop i Argemí wrote:
If you automate things, everything can be reviewed/validated by more than one entity and thus increasing security.The CI can be reviewed and audited but your personal laptop and your workflow cannot.
This is basically a discussion about whether it is less risky to trust the individual developers, or the people with access to the CI signing key. You are trading likeliness of there being one bad actor vs. impact one bad actor can have. It's a matter of personal opinion; there is no right or wrong choice here.
Whenever one option goes wrong, it will be easy to argue for changing to the other, until that one goes wrong, at which point you can change back. ;)
IMO the only actual improvement here would be reproducible tarballing: if each run of the packaging script produces the same result on all systems, the maintainers can locally build the tarball, sign the hash, upload the signature, then have the CI system build the same tarball and sign it again. Then KDE publishes both signatures and downstreams check them both.
I don't know how hard that would be to achieve technically, several obstacles come to mind immediately. But it would actually increase trust instead of just moving it around.
Greetings, Sven
OpenPGP_0xA4AAD0019BE03F15.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
