From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Packaging packages with GPG signed source archives Date: Thu, 01 Sep 2016 10:29:16 +0200 Message-ID: <87d1kouioz.fsf@gnu.org> References: <87oa49crz1.fsf@gmail.com> <20160831172204.GB28096@jasmine> <87wpiwlmea.fsf@gnu.org> <147267612379.23966.11891288083486079812@what> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42500) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bfNNE-0005b8-Fn for help-guix@gnu.org; Thu, 01 Sep 2016 04:29:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bfNNA-0000yi-AY for help-guix@gnu.org; Thu, 01 Sep 2016 04:29:23 -0400 In-Reply-To: <147267612379.23966.11891288083486079812@what> (Troy Sankey's message of "Wed, 31 Aug 2016 16:42:03 -0400") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Troy Sankey Cc: help-guix Troy Sankey skribis: > Quoting Ludovic Court=C3=A8s (2016-08-31 16:21:49) >> (That said, more and more software is distributed via Git rather than as >> tarballs, and most repos are unsigned; even if they were, there are >> basically no tools to meaningfully authenticate a Git checkout=E2=80=A6) > > In that case, not all hope is lost---I've seen many projects sign git tag= s. Indeed, but signing is the easy part. :-) http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D22883#73 Ludo=E2=80=99.