On Wednesday 26 May 2010, Joanna Rutkowska wrote: > Digital Signatures do *not* prove any other property, e.g. that the file > is not malicious. In fact there is nothing that could stop people from > signing a malicious program, and it even happens from time to time in > reality.
Well,in fact we had gpg signatures for KDE releases up to 3.5.7, with a published gpg key (up to 2007). Somewhen around that I forgot the passphrase to the key, so I had to stop using it. It wasn't compromised, in fact it is still sitting on a special machine that I haven't used for anything else (meanwhile I don't think it boots anymore, at least I haven't tried for several years). I will also not be able to recover the passphrase as it was fairly long so a brute-force attack is not going to get anywhere. I'm fine with providing a signature again, but fact is that nobody requested them again so far. Just providing the md5sums on the website was enough so far - people are mostly concerned about incomplete/wrong downloads rather than malicious attacks. Greetings, Dirk _______________________________________________ release-team mailing list release-team@kde.org https://mail.kde.org/mailman/listinfo/release-team