From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 22:21:49 +0200
Message-ID: <87wpiwlmea.fsf@gnu.org>
References: <cu7d1kpv6qc.fsf@systemreboot.net> <87oa49crz1.fsf@gmail.com>
	<cu7shtlz8eq.fsf@systemreboot.net> <20160831172204.GB28096@jasmine>
	<cu7k2ewpywr.fsf@systemreboot.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44648)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1bfC1G-0005Ma-Vf
	for help-guix@gnu.org; Wed, 31 Aug 2016 16:22:03 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1bfC1C-0005WA-Cs
	for help-guix@gnu.org; Wed, 31 Aug 2016 16:21:58 -0400
In-Reply-To: <cu7k2ewpywr.fsf@systemreboot.net> (Arun Isaac's message of "Thu,
	01 Sep 2016 00:07:56 +0530")
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Arun Isaac <arunisaac@systemreboot.net>
Cc: help-guix <help-guix@gnu.org>

Hi,

Arun Isaac <arunisaac@systemreboot.net> skribis:

> When you are building a package from source, the Parabola build system
> verifies the GPG signature of the source archive if the developer's key
> is in your keyring. Else, it raises an error and asks you to get the
> required key manually. There is also an option that tells the build
> system to automatically fetch the key if it is not in your keyring.

=E2=80=98guix import=E2=80=99 and =E2=80=98guix refresh=E2=80=99 do that (w=
hen possible), and otherwise
packagers are expected to authenticate tarballs by themselves, as much
as possible (usually, I guess we often use a TOFU-style model because
that=E2=80=99s often the best one can do.)

An improvement that was proposed earlier is to store in package recipes
the fingerprint of the OpenPGP key a package was checked against.  That
would force packagers to formally specify what they did, and would allow
us to have tools that double-check; IOW, it could be thought of as TOFU
at the scale of our community, instead of per-packager:

  https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html

Help in this area is very much welcome!  :-)

(That said, more and more software is distributed via Git rather than as
tarballs, and most repos are unsigned; even if they were, there are
basically no tools to meaningfully authenticate a Git checkout=E2=80=A6)

Ludo=E2=80=99.