--
Subject: Proposal: Implementing signing process for official tarballs
(try #1)
Date: Wed, 26 May 2010 14:25:27 +0200
From: Joanna Rutkowska
To: kde-de...@kde.org, release-team@kde.org
For background discussion see this thread on kde-devel:
http://lists.kde.org/?t=12747932026&r=1&w=2
On Fri, 28 May 2010 23:32:58 +0200, Dirk Mueller wrote:
> I'm fine with providing a signature again, but fact is that nobody
> requested
> them again so far. Just providing the md5sums on the website was enough
so
> far
> - people are mostly concerned about incomplete/wrong downloads rather
tha
On Wednesday 26 May 2010, Joanna Rutkowska wrote:
> Digital Signatures do *not* prove any other property, e.g. that the file
> is not malicious. In fact there is nothing that could stop people from
> signing a malicious program, and it even happens from time to time in
> reality.
Well,in fact we
On 05/26/2010 02:55 PM, Tobias Ellinghaus wrote:
> Am Mittwoch, 26. Mai 2010 schrub Joanna Rutkowska:
>
> [...]
>
>> Digital Signatures can prove that a given file is authentic, i.e. that
>> is has been indeed created by a person that signed it (e.g. KDE release
>> manager), and that its contents
For background discussion see this thread on kde-devel:
http://lists.kde.org/?t=12747932026&r=1&w=2
I. The Incentive
=
Digital Signatures can prove that a given file is authentic, i.e. that
is has been indeed created by a person that signed it (e.g. KDE release
manager), and t