Re: [bug-gsrc] Checking signatures on source tarballs

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gsrc] Checking signatures on source tarballs

From:	Ludovic Courtès
Subject:	Re: [bug-gsrc] Checking signatures on source tarballs
Date:	Mon, 12 Oct 2015 18:38:11 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Brandon Invergo <address@hidden> skribis:

> On Mon, 2015-10-12 at 09:37 +0100, Brandon Invergo wrote:
>
>> I could swear that previously a keyring of the GNU maintainers was
>> made available by the FSF somewhere but I cannot find it.
>
> http://ftp.gnu.org/gnu/gnu-keyring.gpg

The main issue is that this file is not signed (that would have to be
done by the person responsible for FTP uploads, presumably an FSF
employee.)

A second issue, as Mark wrote, is that it is coarse-grain: it does not
tell exactly which package a given key corresponds to.

However, this package → keys mapping necessarily exists somewhere.  I
think we should ask the FSF to publish it and provide a way to
authenticate it.

WDYT?

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH] emacs: Add 'guix-devel-build-package-source'., (continued)

Prev by Date: Re: [PATCH 2/2] gnu: Add manaplus.
Next by Date: Re: Checking signatures on source tarballs
Previous by thread: Re: [bug-gsrc] Checking signatures on source tarballs
Next by thread: Re: [bug-gsrc] Checking signatures on source tarballs
Index(es):
- Date
- Thread