On Sunday, December 28th, 2025 at 4:27 PM, Thomas Baumgart <[email protected]>
wrote:
> José,
>
> this is a viable request, but supporting it may not be as easy as one thinsk
> and may not bring any real additional value.
>
> The AppImage versions are generated by a CI/CD pipeline controlled by the KDE
> project. We developers don't have access to the generated file until it shows
> up on the net.
>
> Adding a checksum file does not bring any security benefit in my eyes, because
> if someone can exchange the generated AppImage version, this someone is also
> capable of replacing the checksum file. Just make sure to download from the
> KDE servers and not a source.
>
> The released source code tar balls on the other hand are in fact signed with
> a GPG key and the signature is available for verification on
> eg https://download.kde.org/stable/kmymoney/5.2.1/
>
> I recently wrote a blog post about how this all works together. Maybe, you
> want
> to take a read at
>
> https://blog.bembel.net/2025/12/why-doesnt-kmymoney-provide-old-binary-versions/
Very good, I respect any decision on your end, since at the end
of the day, if I don't want to trust the built reached ok to my end
I can just reproduce the build myself and be done.
Thanks for the heads up though!
--
José Pekkarinen
