From mboxrd@z Thu Jan  1 00:00:00 1970
From: Brandon Invergo <brandon@invergo.net>
Subject: Re: Checking signatures on source tarballs
Date: Mon, 12 Oct 2015 09:37:09 +0100
Message-ID: <1444639029.2637.49.camel@invergo.net>
References: <1443791046-1015-1-git-send-email-alezost@gmail.com>
	<1443791046-1015-3-git-send-email-alezost@gmail.com>
	<87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com>
	<87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com>
	<87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com>
	<8737xntorr.fsf_-_@netris.org> <87k2qy7uj7.fsf@gnu.org>
	<87io6iojmf.fsf@netris.org> <87bnca2y59.fsf@gnu.org>
	<87y4fdtwi1.fsf@inria.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-gsrc-bounces+gcggb-bug-gsrc=m.gmane.org@gnu.org>
In-Reply-To: <87y4fdtwi1.fsf@inria.fr>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gsrc>,
	<mailto:bug-gsrc-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gsrc>
List-Post: <mailto:bug-gsrc@gnu.org>
List-Help: <mailto:bug-gsrc-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gsrc>,
	<mailto:bug-gsrc-request@gnu.org?subject=subscribe>
Errors-To: bug-gsrc-bounces+gcggb-bug-gsrc=m.gmane.org@gnu.org
Sender: bug-gsrc-bounces+gcggb-bug-gsrc=m.gmane.org@gnu.org
To: Ludovic =?ISO-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org, Mark H Weaver <mhw@netris.org>, Alex Kost <alezost@gmail.com>, bug-gsrc@gnu.org
List-Id: guix-devel.gnu.org

Hi everyone,

On Thu, 2015-10-08 at 13:44 +0200, Ludovic Court=C3=A8s wrote:

> Actually I see that GSRC already maintains per-package keyrings.
>=20
> How is this maintained, Brandon?  That is, where do you get information
> on which keys to put in the keyring, etc.?

Admittedly, it's not ideal.  When we first add a package, we make a
keyring for it based on whatever information is available to us.
Sometimes the public key is listed in the release announcement.  Other
times, we just have to grab the public key of whatever we see the
package was signed with.  Obviously, that's not very secure since it
could have been signed by an attacker.  However usually this process is
only performed when adding a new (to GNU) package.  Then, if the
signature-checking process ever fails on future releases, I actually
look into it.  Sometimes, no public key is available in any of the key
servers as far as I can tell.  In those cases, we ignore the signature.

As I said, this isn't ideal and I would welcome any ideas for a unified
solution for both GSRC and Guix.  I could swear that previously a
keyring of the GNU maintainers was made available by the FSF somewhere
but I cannot find it.  One minimal thing that I can do is to send out a
request to all maintainers to make the public key (or at least its id)
available on the package's home page...we still probably wouldn't have
100% coverage, but it's a start.

-brandon