From mboxrd@z Thu Jan 1 00:00:00 1970 From: Arun Isaac Subject: Re: Packaging packages with GPG signed source archives Date: Wed, 31 Aug 2016 13:17:57 +0530 Message-ID: References: <87oa49crz1.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40213) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bf0Fn-0003kn-NC for help-guix@gnu.org; Wed, 31 Aug 2016 03:48:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bf0Fj-000574-IW for help-guix@gnu.org; Wed, 31 Aug 2016 03:48:10 -0400 Received: from [117.218.232.8] (port=46510 helo=systemreboot.net) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bf0Fi-00056h-Vo for help-guix@gnu.org; Wed, 31 Aug 2016 03:48:07 -0400 In-reply-to: <87oa49crz1.fsf@gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Alex Kost Cc: help-guix --=-=-= Content-Type: text/plain > I think the procedure is: a packager verifies the source and that's it. > Since a package has a hash of the source, we can be sure that the source > wasn't changed since it was packaged, so if we find that a package has > a compromised source, we can blame the packager. Ah, that sounds good enough. Still, for the sake of completion, it would be nice for Guix to have support for verifying GPG signed source archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified GPG signatures before building. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXxoutAAoJEC4l7othgCuz3WgIAL2jqOrjprd2FcO8R8AR+QtG JOIV5FP+q+FzJn2oUyIc8CFkDpl+0SRkzq/TgqEw84OYHXqFDu5cnAMETbDZM0d+ dKltQrw2efOi1DI64zdYTMu7UBUNUarSjSGkSavZxe2sDoelzHliJ1f02MDp9mA3 LjHM+thZEHJa++/ALPDsi/3/k6yc+han3LHDcy+k5reUspmrq7cdspujfYej6Tau b0WPAiJB/UgH6dv5tSOa/TysIeNd2dH2W/MOft2RuqDgRHlvO+6m0DQRd1z7Pbnz rSWMkAuVeWyAom43CNJJWNLtfPC2MzBc4Cz9KW1stuY3wkhJtj5rNygvae6NVnA= =2EkT -----END PGP SIGNATURE----- --=-=-=--