From: ng0 <ng0@we.make.ritual.n0.is>
To: "Ludovic Courtès" <ludo@gnu.org>,
"Arun Isaac" <arunisaac@systemreboot.net>
Cc: help-guix <help-guix@gnu.org>
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 21:53:07 +0000 [thread overview]
Message-ID: <878tvcmwqk.fsf@we.make.ritual.n0.is> (raw)
In-Reply-To: <87wpiwlmea.fsf@gnu.org>
Ludovic Courtès <ludo@gnu.org> writes:
> Hi,
>
> Arun Isaac <arunisaac@systemreboot.net> skribis:
>
>> When you are building a package from source, the Parabola build system
>> verifies the GPG signature of the source archive if the developer's key
>> is in your keyring. Else, it raises an error and asks you to get the
>> required key manually. There is also an option that tells the build
>> system to automatically fetch the key if it is not in your keyring.
>
> ‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise
> packagers are expected to authenticate tarballs by themselves, as much
> as possible (usually, I guess we often use a TOFU-style model because
> that’s often the best one can do.)
>
> An improvement that was proposed earlier is to store in package recipes
> the fingerprint of the OpenPGP key a package was checked against. That
> would force packagers to formally specify what they did, and would allow
> us to have tools that double-check; IOW, it could be thought of as TOFU
> at the scale of our community, instead of per-packager:
>
> https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html
>
> Help in this area is very much welcome! :-)
>
> (That said, more and more software is distributed via Git rather than as
> tarballs, and most repos are unsigned; even if they were, there are
> basically no tools to meaningfully authenticate a Git checkout…)
>
> Ludo’.
>
On the subject of git repos, I do not understand enough of the
git-download.scm at the moment to add this myself, but why don't we have
git-fsck in it as default?
--
ng0
For non-prism friendly talk find me on http://www.psyced.org
next prev parent reply other threads:[~2016-08-31 21:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-31 5:37 Packaging packages with GPG signed source archives Arun Isaac
2016-08-31 7:33 ` Alex Kost
2016-08-31 7:47 ` Arun Isaac
2016-08-31 10:00 ` ng0
2016-08-31 17:22 ` Leo Famulari
2016-08-31 18:37 ` Arun Isaac
2016-08-31 20:21 ` Ludovic Courtès
2016-08-31 20:42 ` Troy Sankey
2016-09-01 8:29 ` Ludovic Courtès
2016-08-31 21:53 ` ng0 [this message]
2016-09-01 8:30 ` Ludovic Courtès
2016-09-02 10:10 ` ng0
2016-09-02 12:14 ` Ludovic Courtès
2016-09-02 12:46 ` ng0
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878tvcmwqk.fsf@we.make.ritual.n0.is \
--to=ng0@we.make.ritual.n0.is \
--cc=arunisaac@systemreboot.net \
--cc=help-guix@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).