On Tue, Jan 23 2018, Pjotr Prins wrote:
> How is it a security issue?

If I can authorise any substitute server key that I want, then I 
can authorise my own server's key. I can then create a malicious 
substitute that doesn't correspond to the build recipe in Guix. I 
could inject whatever code I want into this substitute, and have 
it placed in the store as the output for the derivation. When 
another user attempts to install the same package into their 
profile they will then use my malicious substitute (even though 
they never authorised my server's key).

Carlo