On Wed, Aug 31, 2016 at 01:17:57PM +0530, Arun Isaac wrote:
Alex Kost wrote:
> > I think the procedure is: a packager verifies the source and that's it.
> > Since a package has a hash of the source, we can be sure that the source
> > wasn't changed since it was packaged, so if we find that a package has
> > a compromised source, we can blame the packager.
> 
> Ah, that sounds good enough. Still, for the sake of completion, it would
> be nice for Guix to have support for verifying GPG signed source
> archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified
> GPG signatures before building.

There was a discussion about verifying signatures of GNU packages using
a GNU keyring, but it didn't end up happening. This would have enabled a
more trustworthy automatic update system for the GNU packages. It should
be in the guix-devel mailing list archive.

In my opinion, a limitation of verifying signatures automatically is
that the web of trust requires us (humans) to make sure the key
corresponds to the person or group that we intend to trust.

GnuPG will automatically download a missing key when verifying a
signature, but it's up to us to decide if the key is worth trusting.

As Alex said, Guix packagers verify signatures and then put tarball
hashes into package definitions. So, I bet that Guix users don't often
verify the signatures themselves; instead they choose to trust the
packagers, which is one reason we started signing all our Git commits.

Does Parabola have some sort of keyring that all the upstream keys go
into? Or did I misinterpret your suggestion? I'm not familiar with the
Parabola package management system.

By the way, we still have some work to do on a related topic:
https://bugs.gnu.org/22883