KPilot
Security
It is very important that before you download, build, install, or use software (of any sort, not just KPilot), you understand what you are doing and verify that what you are downloading / building / installing / using is, in fact, what you think it to be. You can find more details about the importance of checking the integrity of software on this pilot-link project page. Never download and execute untrusted content -- even if it says "c'mon, trust me."
To help you verify the integrity of KPilot downloads from this site, we provide two pieces of information for you:
- A GPG signature. This is typically named the same as the file it is a signature for, with an additional ".asc" suffix. For example, kpilot-X.X.X.tbz.asc is the signature for kpilot-X.X.X.tbz. This signature will help you verify that the files you download from this website were actually created by me.
- An md5 sum file. This is typically named the same as the file it is a sum for, with the suffix of ".md5". In addition to the above signature, the md5 sum also ensures that the files you download from this site were never tampered with or modified in-transit.
The way to verify that a file is valid is to download it and the signature file (click on the lock icon to download the signature). Check the md5 sums of the file and the signature against published values - the md5 sums will be displayed when you point at the lock icon, but they are also announced on the kde-pim mailing list. Calculate the sums of your copies: $ md5sum *.tbz *.asc some output here Compare the calculated values with the published values. Next, use gpg to verify the signatures of the tarballs against the tarballs themselves: $ gpg --verify kpilot-X.X.X.tbz.asc kpilot-X.X.X.tbz Repeat the verification step for each tarball.
Recently, it has been shown that md5 can be "cracked". I don't believe KPilot to be an exciting target for such a crack, but in the meantime, it's best to be wary. I'll be adding SHA256 hashes as well (as soon as I figure out how).
KPilot GPG Key
KPilot has a GPG key which is used for signing tarballs and similar important files; you should use this key to check tarballs downloaded from this site for integrity. You can fetch the key here, or copy and paste from the box below. The pilot-link site has a good page on the importance of integrity-checking, with the GPG key for pilot-link as well.
The md5 sum
and the fingerprint of the key are:
MD5 (gpg.pub.txt) = 54cfb31afa3ea6546e43b31b0da7f0cc
pub 1024D/B571535C 2004-05-15 Adriaan de Groot (KPilot)
Finally, you can get a GPG signature of the gpg.pub.txt file, signed by Adriaan de Groot (key ID FEA2A3FE).
Both the KPilot public key (key ID B571535C) and Adriaan's public key (key ID FEA2A3FE) can be retrieved from public key servers like pgp.mit.edu.
The KPilot site is valid XHTML most of the time. The CSS for the site is tested with recent versions of Konqueror. I know that IE has a lot of trouble doing the right thing with this site - provide patches if you feel it is important.
The content of this website is copyright by Adriaan de Groot, 2004-2006. Redistribution in whole or in part is prohibited except for fair-use; license is granted to KDE e.V. to distribute this content provided this notice remains.