From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christopher Allan Webber <cwebber@dustycloud.org>
Subject: Re: Checking signatures on source tarballs
Date: Sun, 21 Feb 2016 20:20:04 -0800
Message-ID: <8760xh4bst.fsf@dustycloud.org>
References: <1443791046-1015-1-git-send-email-alezost@gmail.com>
	<1443791046-1015-3-git-send-email-alezost@gmail.com>
	<87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com>
	<87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com>
	<87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com>
	<8737xntorr.fsf_-_@netris.org> <87k2qy7uj7.fsf@gnu.org>
	<87io6iojmf.fsf@netris.org> <87bnca2y59.fsf@gnu.org>
	<87y4fdtwi1.fsf@inria.fr>
	<1444639029.2637.49.camel@invergo.net> <87mvvoavnb.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53274)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1aXhyj-0000XY-4p
	for guix-devel@gnu.org; Sun, 21 Feb 2016 23:20:10 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1aXhyi-00043D-1h
	for guix-devel@gnu.org; Sun, 21 Feb 2016 23:20:09 -0500
In-reply-to: <87mvvoavnb.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org, bug-gsrc@gnu.org, Brandon Invergo <brandon@invergo.net>, Alex Kost <alezost@gmail.com>

Ludovic Court=C3=A8s writes:

> Brandon Invergo <brandon@invergo.net> skribis:
>
>> Hi everyone,
>>
>> On Thu, 2015-10-08 at 13:44 +0200, Ludovic Court=C3=A8s wrote:
>>
>>> Actually I see that GSRC already maintains per-package keyrings.
>>>=20
>>> How is this maintained, Brandon?  That is, where do you get informati=
on
>>> on which keys to put in the keyring, etc.?
>>
>> Admittedly, it's not ideal.  When we first add a package, we make a
>> keyring for it based on whatever information is available to us.
>> Sometimes the public key is listed in the release announcement.  Other
>> times, we just have to grab the public key of whatever we see the
>> package was signed with.  Obviously, that's not very secure since it
>> could have been signed by an attacker.  However usually this process i=
s
>> only performed when adding a new (to GNU) package.  Then, if the
>> signature-checking process ever fails on future releases, I actually
>> look into it.  Sometimes, no public key is available in any of the key
>> servers as far as I can tell.  In those cases, we ignore the signature=
.
>
> OK.  That=E2=80=99s roughly what Mark suggests that we do in Guix, an
> improvement over the current situation.
>
> Thanks for your feedback!
>
> Ludo=E2=80=99.

Extra reasons to want to do signature based verification:
  http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installi=
ng-linux-mint-backdoor/

... be careful out there!
 - Chris