From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Packaging packages with GPG signed source archives Date: Wed, 31 Aug 2016 22:21:49 +0200 Message-ID: <87wpiwlmea.fsf@gnu.org> References: <87oa49crz1.fsf@gmail.com> <20160831172204.GB28096@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44648) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bfC1G-0005Ma-Vf for help-guix@gnu.org; Wed, 31 Aug 2016 16:22:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bfC1C-0005WA-Cs for help-guix@gnu.org; Wed, 31 Aug 2016 16:21:58 -0400 In-Reply-To: (Arun Isaac's message of "Thu, 01 Sep 2016 00:07:56 +0530") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Arun Isaac Cc: help-guix Hi, Arun Isaac skribis: > When you are building a package from source, the Parabola build system > verifies the GPG signature of the source archive if the developer's key > is in your keyring. Else, it raises an error and asks you to get the > required key manually. There is also an option that tells the build > system to automatically fetch the key if it is not in your keyring. =E2=80=98guix import=E2=80=99 and =E2=80=98guix refresh=E2=80=99 do that (w= hen possible), and otherwise packagers are expected to authenticate tarballs by themselves, as much as possible (usually, I guess we often use a TOFU-style model because that=E2=80=99s often the best one can do.) An improvement that was proposed earlier is to store in package recipes the fingerprint of the OpenPGP key a package was checked against. That would force packagers to formally specify what they did, and would allow us to have tools that double-check; IOW, it could be thought of as TOFU at the scale of our community, instead of per-packager: https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html Help in this area is very much welcome! :-) (That said, more and more software is distributed via Git rather than as tarballs, and most repos are unsigned; even if they were, there are basically no tools to meaningfully authenticate a Git checkout=E2=80=A6) Ludo=E2=80=99.