On Mon, Aug 24, 2020 at 04:36:22PM +0200, Ludovic Courtès wrote:
> Hi!
> 
> Justus Winter <teythoon@avior.uberspace.de> skribis:
> 
> > Ludovic Courtès <ludo@gnu.org> writes:
> 
> [...]
> 
> We can introduce signature verification in (guix download): every time
> code is downloaded and signature metadata is available, we verify its
> signature.  Unfortunately, I’m afraid this is likely to lead to lots of
> false positives, and in particular failure to retrieve the OpenPGP key.
> 
> WDYT?  Where would you integrate that?
> 

Debian does sometimes add a public gpg key or the tarball signature
inside their debian folder. Not exactly sure how that would map for us
though.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted