From: ludo@gnu.org (Ludovic Courtès)
To: Arun Isaac <arunisaac@systemreboot.net>
Cc: help-guix <help-guix@gnu.org>
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 22:21:49 +0200 [thread overview]
Message-ID: <87wpiwlmea.fsf@gnu.org> (raw)
In-Reply-To: <cu7k2ewpywr.fsf@systemreboot.net> (Arun Isaac's message of "Thu, 01 Sep 2016 00:07:56 +0530")
Hi,
Arun Isaac <arunisaac@systemreboot.net> skribis:
> When you are building a package from source, the Parabola build system
> verifies the GPG signature of the source archive if the developer's key
> is in your keyring. Else, it raises an error and asks you to get the
> required key manually. There is also an option that tells the build
> system to automatically fetch the key if it is not in your keyring.
‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise
packagers are expected to authenticate tarballs by themselves, as much
as possible (usually, I guess we often use a TOFU-style model because
that’s often the best one can do.)
An improvement that was proposed earlier is to store in package recipes
the fingerprint of the OpenPGP key a package was checked against. That
would force packagers to formally specify what they did, and would allow
us to have tools that double-check; IOW, it could be thought of as TOFU
at the scale of our community, instead of per-packager:
https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html
Help in this area is very much welcome! :-)
(That said, more and more software is distributed via Git rather than as
tarballs, and most repos are unsigned; even if they were, there are
basically no tools to meaningfully authenticate a Git checkout…)
Ludo’.
next prev parent reply other threads:[~2016-08-31 20:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-31 5:37 Packaging packages with GPG signed source archives Arun Isaac
2016-08-31 7:33 ` Alex Kost
2016-08-31 7:47 ` Arun Isaac
2016-08-31 10:00 ` ng0
2016-08-31 17:22 ` Leo Famulari
2016-08-31 18:37 ` Arun Isaac
2016-08-31 20:21 ` Ludovic Courtès [this message]
2016-08-31 20:42 ` Troy Sankey
2016-09-01 8:29 ` Ludovic Courtès
2016-08-31 21:53 ` ng0
2016-09-01 8:30 ` Ludovic Courtès
2016-09-02 10:10 ` ng0
2016-09-02 12:14 ` Ludovic Courtès
2016-09-02 12:46 ` ng0
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wpiwlmea.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=arunisaac@systemreboot.net \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).