From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: Packaging packages with GPG signed source archives Date: Wed, 31 Aug 2016 10:00:58 +0000 Message-ID: <877faxqmud.fsf@we.make.ritual.n0.is> References: <87oa49crz1.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45978) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bf2KU-0003Na-7i for help-guix@gnu.org; Wed, 31 Aug 2016 06:01:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bf2KN-0000Kn-IJ for help-guix@gnu.org; Wed, 31 Aug 2016 06:01:09 -0400 Received: from mithlond.libertad.in-berlin.de ([2001:67c:1400:2490::1]:59506 helo=beleriand.n0.is) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bf2KN-0000KU-4Y for help-guix@gnu.org; Wed, 31 Aug 2016 06:01:03 -0400 In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Arun Isaac , Alex Kost Cc: help-guix Arun Isaac writes: > [ Unknown signature status ] > >> I think the procedure is: a packager verifies the source and that's it. >> Since a package has a hash of the source, we can be sure that the source >> wasn't changed since it was packaged, so if we find that a package has >> a compromised source, we can blame the packager. > > Ah, that sounds good enough. Still, for the sake of completion, it would > be nice for Guix to have support for verifying GPG signed source > archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified > GPG signatures before building. There is some portion of the Guix code which gets verified this way (checking/verifying the source of guix itself i think and the gnu importer), if you think this should be implemented for every case where a gpg key is available, we should discuss it here. -- ng0 For non-prism friendly talk find me on http://www.psyced.org