From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Checking signatures on source tarballs Date: Mon, 12 Oct 2015 18:38:11 +0200 Message-ID: <87si5gavpo.fsf@gnu.org> References: <1443791046-1015-1-git-send-email-alezost@gmail.com> <1443791046-1015-3-git-send-email-alezost@gmail.com> <87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com> <87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com> <87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com> <8737xntorr.fsf_-_@netris.org> <87k2qy7uj7.fsf@gnu.org> <87io6iojmf.fsf@netris.org> <87bnca2y59.fsf@gnu.org> <87y4fdtwi1.fsf@inria.fr> <1444639029.2637.49.camel@invergo.net> <1444641491.2637.67.camel@invergo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1444641491.2637.67.camel@invergo.net> (Brandon Invergo's message of "Mon, 12 Oct 2015 10:18:11 +0100") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gsrc-bounces+gcggb-bug-gsrc=m.gmane.org@gnu.org Sender: bug-gsrc-bounces+gcggb-bug-gsrc=m.gmane.org@gnu.org To: Brandon Invergo Cc: guix-devel@gnu.org, Mark H Weaver , Alex Kost , bug-gsrc@gnu.org List-Id: guix-devel.gnu.org Brandon Invergo skribis: > On Mon, 2015-10-12 at 09:37 +0100, Brandon Invergo wrote: > >> I could swear that previously a keyring of the GNU maintainers was >> made available by the FSF somewhere but I cannot find it. > > http://ftp.gnu.org/gnu/gnu-keyring.gpg The main issue is that this file is not signed (that would have to be done by the person responsible for FTP uploads, presumably an FSF employee.) A second issue, as Mark wrote, is that it is coarse-grain: it does not tell exactly which package a given key corresponds to. However, this package =E2=86=92 keys mapping necessarily exists somewhere. = I think we should ask the FSF to publish it and provide a way to authenticate it. WDYT? Ludo=E2=80=99.