[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Packaging packages with GPG signed source archives
From: |
Alex Kost |
Subject: |
Re: Packaging packages with GPG signed source archives |
Date: |
Wed, 31 Aug 2016 10:33:54 +0300 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Arun Isaac (2016-08-31 08:37 +0300) wrote:
> I am trying to package a package that provides a GPG signed source
> archive. Is there any way to get Guix to verify this signature, by say,
> specifying it in the 'origin' object of the 'source' field of the
> package? What is the standard way this is done in Guix?
I think the procedure is: a packager verifies the source and that's it.
Since a package has a hash of the source, we can be sure that the source
wasn't changed since it was packaged, so if we find that a package has
a compromised source, we can blame the packager.
--
Alex
- Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives,
Alex Kost <=
- Re: Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, ng0, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Leo Famulari, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Ludovic Courtès, 2016/08/31
- Re: Packaging packages with GPG signed source archives, ng0, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Troy Sankey, 2016/08/31