From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0 <ng0@we.make.ritual.n0.is>
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 21:53:07 +0000
Message-ID: <878tvcmwqk.fsf@we.make.ritual.n0.is>
References: <cu7d1kpv6qc.fsf@systemreboot.net> <87oa49crz1.fsf@gmail.com>
	<cu7shtlz8eq.fsf@systemreboot.net> <20160831172204.GB28096@jasmine>
	<cu7k2ewpywr.fsf@systemreboot.net> <87wpiwlmea.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34506)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ng0@we.make.ritual.n0.is>) id 1bfDRb-0000xB-P2
	for help-guix@gnu.org; Wed, 31 Aug 2016 17:53:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ng0@we.make.ritual.n0.is>) id 1bfDRZ-0007de-Id
	for help-guix@gnu.org; Wed, 31 Aug 2016 17:53:14 -0400
In-Reply-To: <87wpiwlmea.fsf@gnu.org>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>, Arun Isaac <arunisaac@systemreboot.net>
Cc: help-guix <help-guix@gnu.org>

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Arun Isaac <arunisaac@systemreboot.net> skribis:
>
>> When you are building a package from source, the Parabola build system
>> verifies the GPG signature of the source archive if the developer's key
>> is in your keyring. Else, it raises an error and asks you to get the
>> required key manually. There is also an option that tells the build
>> system to automatically fetch the key if it is not in your keyring.
>
> ‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise
> packagers are expected to authenticate tarballs by themselves, as much
> as possible (usually, I guess we often use a TOFU-style model because
> that’s often the best one can do.)
>
> An improvement that was proposed earlier is to store in package recipes
> the fingerprint of the OpenPGP key a package was checked against.  That
> would force packagers to formally specify what they did, and would allow
> us to have tools that double-check; IOW, it could be thought of as TOFU
> at the scale of our community, instead of per-packager:
>
>   https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html
>
> Help in this area is very much welcome!  :-)
>
> (That said, more and more software is distributed via Git rather than as
> tarballs, and most repos are unsigned; even if they were, there are
> basically no tools to meaningfully authenticate a Git checkout…)
>
> Ludo’.
>

On the subject of git repos, I do not understand enough of the
git-download.scm at the moment to add this myself, but why don't we have
git-fsck in it as default?

-- 
ng0
For non-prism friendly talk find me on http://www.psyced.org