From mboxrd@z Thu Jan  1 00:00:00 1970
From: Arun Isaac <arunisaac@systemreboot.net>
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 13:17:57 +0530
Message-ID: <cu7shtlz8eq.fsf@systemreboot.net>
References: <cu7d1kpv6qc.fsf@systemreboot.net> <87oa49crz1.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40213)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arunisaac@systemreboot.net>) id 1bf0Fn-0003kn-NC
	for help-guix@gnu.org; Wed, 31 Aug 2016 03:48:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <arunisaac@systemreboot.net>) id 1bf0Fj-000574-IW
	for help-guix@gnu.org; Wed, 31 Aug 2016 03:48:10 -0400
Received: from [117.218.232.8] (port=46510 helo=systemreboot.net)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arunisaac@systemreboot.net>) id 1bf0Fi-00056h-Vo
	for help-guix@gnu.org; Wed, 31 Aug 2016 03:48:07 -0400
In-reply-to: <87oa49crz1.fsf@gmail.com>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Alex Kost <alezost@gmail.com>
Cc: help-guix <help-guix@gnu.org>

--=-=-=
Content-Type: text/plain


> I think the procedure is: a packager verifies the source and that's it.
> Since a package has a hash of the source, we can be sure that the source
> wasn't changed since it was packaged, so if we find that a package has
> a compromised source, we can blame the packager.

Ah, that sounds good enough. Still, for the sake of completion, it would
be nice for Guix to have support for verifying GPG signed source
archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified
GPG signatures before building.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXxoutAAoJEC4l7othgCuz3WgIAL2jqOrjprd2FcO8R8AR+QtG
JOIV5FP+q+FzJn2oUyIc8CFkDpl+0SRkzq/TgqEw84OYHXqFDu5cnAMETbDZM0d+
dKltQrw2efOi1DI64zdYTMu7UBUNUarSjSGkSavZxe2sDoelzHliJ1f02MDp9mA3
LjHM+thZEHJa++/ALPDsi/3/k6yc+han3LHDcy+k5reUspmrq7cdspujfYej6Tau
b0WPAiJB/UgH6dv5tSOa/TysIeNd2dH2W/MOft2RuqDgRHlvO+6m0DQRd1z7Pbnz
rSWMkAuVeWyAom43CNJJWNLtfPC2MzBc4Cz9KW1stuY3wkhJtj5rNygvae6NVnA=
=2EkT
-----END PGP SIGNATURE-----
--=-=-=--