From mboxrd@z Thu Jan  1 00:00:00 1970
From: Troy Sankey <sankeytms@gmail.com>
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 16:42:03 -0400
Message-ID: <147267612379.23966.11891288083486079812@what>
References: <cu7d1kpv6qc.fsf@systemreboot.net> <87oa49crz1.fsf@gmail.com>
	<cu7shtlz8eq.fsf@systemreboot.net> <20160831172204.GB28096@jasmine>
	<cu7k2ewpywr.fsf@systemreboot.net> <87wpiwlmea.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
	micalg="pgp-sha256"; boundary="===============2121536606=="
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48233)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <sankeytms@gmail.com>) id 1bfCKr-00041y-Kh
	for help-guix@gnu.org; Wed, 31 Aug 2016 16:42:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <sankeytms@gmail.com>) id 1bfCKq-0000tm-VA
	for help-guix@gnu.org; Wed, 31 Aug 2016 16:42:13 -0400
Content-Disposition: inline
In-Reply-To: <87wpiwlmea.fsf@gnu.org>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>, Arun Isaac <arunisaac@systemreboot.net>
Cc: help-guix <help-guix@gnu.org>

--===============2121536606==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Quoting Ludovic Court=C3=A8s (2016-08-31 16:21:49)
> (That said, more and more software is distributed via Git rather than as
> tarballs, and most repos are unsigned; even if they were, there are
> basically no tools to meaningfully authenticate a Git checkout=E2=80=A6)

In that case, not all hope is lost---I've seen many projects sign git tags.

Troy

--===============2121536606==
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCAAGBQJXx0EZAAoJEIRGmXXw0dCUWCMP/RnYnq2yhsmWqg5Nfu4zbOFc
vgMBIiOOrQAJHR7Uxic1oiyXyK2LR6qkb4F1uwySsASunpaI7wQG5O2AlvZ2fERO
n1YXLgJUQGozwigW6GXf9RhK1ZsH/2jnWnBECN0X7nUWpTsHCc4VEm4kr4jv5yHb
Ce+oC/QZ7RLPdR8IMKo08q2OAx6tjUuQd2lAHCKY2XL0zmRy8mQW8vPW7Qmabs7N
qYl2Ozw2O0bhpmkPAU+/bJLAPQqCzHHlKdYWKlfUYWAfBWE9SrpCyEDjydGZNKFs
9KScOZqz3Ay24tAykqOUqpGhax2tu6R9RMUj1+G4JLAN2RmD/YA1B1rX6MyYOpjW
qQS6uviY4eaJIJEWVbgKVTD5KZwvnZnyWyu928aydULx5h3lUq8HMwUIkwBxKWzR
YB45qsD6D89Z8YxBVPKn+mZDzPkz4e5DCRogl6aR1zPFr+7NNm5/qzBvyJfRW/dS
34qv0Pc8wiXh9RpKAa+1uzOpRQGTXcs7oiiv3O3oqhu7LVv/GlLqHbdOW1/9wcTA
z8y1Zvggnoi/0DERHt2YJ9I8cgivxnPwxxkHFrO3HN4jHQZXvzwPEZ2n36Hi/iW9
9Ark/7J8gNoBC98vfxNTIDYkoU/CUxttjotX7HG61jVoaqVGLc+ml4D4rvrALTSb
VEDs5lVeEjHYHMkxvcmX
=obZu
-----END PGP SIGNATURE-----

--===============2121536606==--