[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Packaging packages with GPG signed source archives
From: |
ng0 |
Subject: |
Re: Packaging packages with GPG signed source archives |
Date: |
Wed, 31 Aug 2016 10:00:58 +0000 |
Arun Isaac <address@hidden> writes:
> [ Unknown signature status ]
>
>> I think the procedure is: a packager verifies the source and that's it.
>> Since a package has a hash of the source, we can be sure that the source
>> wasn't changed since it was packaged, so if we find that a package has
>> a compromised source, we can blame the packager.
>
> Ah, that sounds good enough. Still, for the sake of completion, it would
> be nice for Guix to have support for verifying GPG signed source
> archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified
> GPG signatures before building.
There is some portion of the Guix code which gets verified this way
(checking/verifying the source of guix itself i think and the gnu
importer), if you think this should be implemented for every case where
a gpg key is available, we should discuss it here.
--
ng0
For non-prism friendly talk find me on http://www.psyced.org
- Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Alex Kost, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives,
ng0 <=
- Re: Packaging packages with GPG signed source archives, Leo Famulari, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Ludovic Courtès, 2016/08/31
- Re: Packaging packages with GPG signed source archives, ng0, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Troy Sankey, 2016/08/31