From: Leo Famulari <leo@famulari.name>
To: Arun Isaac <arunisaac@systemreboot.net>
Cc: Alex Kost <alezost@gmail.com>, help-guix <help-guix@gnu.org>
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 13:22:04 -0400 [thread overview]
Message-ID: <20160831172204.GB28096@jasmine> (raw)
In-Reply-To: <cu7shtlz8eq.fsf@systemreboot.net>
[-- Attachment #1: Type: text/plain, Size: 1782 bytes --]
On Wed, Aug 31, 2016 at 01:17:57PM +0530, Arun Isaac wrote:
Alex Kost wrote:
> > I think the procedure is: a packager verifies the source and that's it.
> > Since a package has a hash of the source, we can be sure that the source
> > wasn't changed since it was packaged, so if we find that a package has
> > a compromised source, we can blame the packager.
>
> Ah, that sounds good enough. Still, for the sake of completion, it would
> be nice for Guix to have support for verifying GPG signed source
> archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified
> GPG signatures before building.
There was a discussion about verifying signatures of GNU packages using
a GNU keyring, but it didn't end up happening. This would have enabled a
more trustworthy automatic update system for the GNU packages. It should
be in the guix-devel mailing list archive.
In my opinion, a limitation of verifying signatures automatically is
that the web of trust requires us (humans) to make sure the key
corresponds to the person or group that we intend to trust.
GnuPG will automatically download a missing key when verifying a
signature, but it's up to us to decide if the key is worth trusting.
As Alex said, Guix packagers verify signatures and then put tarball
hashes into package definitions. So, I bet that Guix users don't often
verify the signatures themselves; instead they choose to trust the
packagers, which is one reason we started signing all our Git commits.
Does Parabola have some sort of keyring that all the upstream keys go
into? Or did I misinterpret your suggestion? I'm not familiar with the
Parabola package management system.
By the way, we still have some work to do on a related topic:
https://bugs.gnu.org/22883
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-08-31 17:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-31 5:37 Packaging packages with GPG signed source archives Arun Isaac
2016-08-31 7:33 ` Alex Kost
2016-08-31 7:47 ` Arun Isaac
2016-08-31 10:00 ` ng0
2016-08-31 17:22 ` Leo Famulari [this message]
2016-08-31 18:37 ` Arun Isaac
2016-08-31 20:21 ` Ludovic Courtès
2016-08-31 20:42 ` Troy Sankey
2016-09-01 8:29 ` Ludovic Courtès
2016-08-31 21:53 ` ng0
2016-09-01 8:30 ` Ludovic Courtès
2016-09-02 10:10 ` ng0
2016-09-02 12:14 ` Ludovic Courtès
2016-09-02 12:46 ` ng0
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160831172204.GB28096@jasmine \
--to=leo@famulari.name \
--cc=alezost@gmail.com \
--cc=arunisaac@systemreboot.net \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).