Hey,
> Does that really fix anything if noone has my gpg key in the > trusted/validated signatures area? How do they know it's me that signed the > package and not some hacker that got access to the server and did sign the > tarballs? On the one side, if the privatekey is easy to grab, it does not help improving security, but if the private key, lifes at only on a specifc secured computer it would help a lot. One major thing is that I can easily see, that it is the same key used as for the release before. I can be sure, that nobody changed the tarballs at the server after they were pushed. And this is realy a security issue, it happens for other opensource projects. And also if I would create a gpgkey with the same name, other would see, that a different key was used. We can publish the release key website, keyserver make prints on akademy,... So at first it is the tofu security model, but with time we can improve the security. Regards, sandro _______________________________________________ release-team mailing list [email protected] https://mail.kde.org/mailman/listinfo/release-team
