From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Checking signatures on source tarballs
Date: Mon, 12 Oct 2015 18:39:36 +0200
Message-ID: <87mvvoavnb.fsf@gnu.org>
References: <1443791046-1015-1-git-send-email-alezost@gmail.com>
	<1443791046-1015-3-git-send-email-alezost@gmail.com>
	<87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com>
	<87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com>
	<87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com>
	<8737xntorr.fsf_-_@netris.org> <87k2qy7uj7.fsf@gnu.org>
	<87io6iojmf.fsf@netris.org> <87bnca2y59.fsf@gnu.org>
	<87y4fdtwi1.fsf@inria.fr> <1444639029.2637.49.camel@invergo.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-gsrc-bounces+gcggb-bug-gsrc=m.gmane.org@gnu.org>
In-Reply-To: <1444639029.2637.49.camel@invergo.net> (Brandon Invergo's message
	of "Mon, 12 Oct 2015 09:37:09 +0100")
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gsrc>,
	<mailto:bug-gsrc-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gsrc>
List-Post: <mailto:bug-gsrc@gnu.org>
List-Help: <mailto:bug-gsrc-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gsrc>,
	<mailto:bug-gsrc-request@gnu.org?subject=subscribe>
Errors-To: bug-gsrc-bounces+gcggb-bug-gsrc=m.gmane.org@gnu.org
Sender: bug-gsrc-bounces+gcggb-bug-gsrc=m.gmane.org@gnu.org
To: Brandon Invergo <brandon@invergo.net>
Cc: guix-devel@gnu.org, Mark H Weaver <mhw@netris.org>, Alex Kost <alezost@gmail.com>, bug-gsrc@gnu.org
List-Id: guix-devel.gnu.org

Brandon Invergo <brandon@invergo.net> skribis:

> Hi everyone,
>
> On Thu, 2015-10-08 at 13:44 +0200, Ludovic Court=C3=A8s wrote:
>
>> Actually I see that GSRC already maintains per-package keyrings.
>>=20
>> How is this maintained, Brandon?  That is, where do you get information
>> on which keys to put in the keyring, etc.?
>
> Admittedly, it's not ideal.  When we first add a package, we make a
> keyring for it based on whatever information is available to us.
> Sometimes the public key is listed in the release announcement.  Other
> times, we just have to grab the public key of whatever we see the
> package was signed with.  Obviously, that's not very secure since it
> could have been signed by an attacker.  However usually this process is
> only performed when adding a new (to GNU) package.  Then, if the
> signature-checking process ever fails on future releases, I actually
> look into it.  Sometimes, no public key is available in any of the key
> servers as far as I can tell.  In those cases, we ignore the signature.

OK.  That=E2=80=99s roughly what Mark suggests that we do in Guix, an
improvement over the current situation.

Thanks for your feedback!

Ludo=E2=80=99.