From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Re: Checking signatures on source tarballs Date: Sat, 10 Oct 2015 15:22:12 +0800 Message-ID: References: <1443791046-1015-1-git-send-email-alezost@gmail.com> <1443791046-1015-3-git-send-email-alezost@gmail.com> <87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com> <87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com> <87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com> <8737xntorr.fsf_-_@netris.org> <87k2qy7uj7.fsf@gnu.org> <87io6iojmf.fsf@netris.org> <87bnca2y59.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47134) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZkoTt-0000Ru-Qy for guix-devel@gnu.org; Sat, 10 Oct 2015 03:22:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZkoTt-0002Dq-0y for guix-devel@gnu.org; Sat, 10 Oct 2015 03:22:13 -0400 In-Reply-To: <87bnca2y59.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: guix-devel@gnu.org, Alex Kost > What you suggest would be perfect but, if I understand it correctly, > it=E2=80=99s far from reality. There=E2=80=99s not a single project I kn= ow of that > publishes the list of public keys authorized to sign its tarballs. Even > if they did, we=E2=80=99d need a way to authenticate that list. > I think has listed all their public keys used to sign their releases. This seems to be quite a neat way of doing things. But you're right that there is no easy way to authenticate that list.