[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU-linux-libre] Help users to verify their downloads
|
From: |
Donald Robertson |
|
Subject: |
Re: [GNU-linux-libre] Help users to verify their downloads |
|
Date: |
Wed, 20 Jun 2018 13:17:36 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 |
On 06/20/2018 10:18 AM, Ludovic Courtès wrote:
> Hello Donald & all,
>
> GNU Guix uses signed tags and commits on its Git repository, which is
> where package definitions are, and release files on alpha.gnu.org are
> also GPG-signed by one of the maintainers.
>
> Pre-built binaries for packages, which are opt-in, are also signed.
> It’s up to the user to decide whether or not to trust binaries provided
> by, say, hydra.gnu.org:
>
>
> https://www.gnu.org/software/guix/manual/html_node/Substitute-Server-Authorization.html
>
> Most of our package builds are bit-reproducible so users can “challenge”
> servers that provide binaries—i.e., check whether they provide the same
> binaries as other servers or the same as those they built locally:
>
>
> https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-challenge.html
>
> Ludo’.
>
Thanks for this info. Looking over the discussion thus far I'm thinking
that what we really ought to do is put together some documentation on
some best practices for free distros. Things that aren't really freedom
issues, but are important for making sure everyone can get the best out
of the program. I don't want to end up where we sort things out now for
currently endorsed distros and then forget to ever bring the issue back
up in the future. So I think it makes sense to put something up in a
public place that distros can refer to going forward.
In addition to the topic we've been discussing I've had some other
issues brought up, such as making sure that distro maintainers keep in
contact, and what to do when a maintainer is handing the project off to
a new maintainer. A lot of this stuff is addressed for GNU Maintainers
in the Information for Maintainers of GNU Software
<https://www.gnu.org/prep/maintain/html_node/index.html>, but I think we
could make a much smaller document on the LibrePlanet wiki that could be
similarly useful for distro maintainers.
Does that all make sense?
--
Donald R. Robertson, III, J.D.
Licensing & Compliance Manager
Free Software Foundation
51 Franklin Street, Fifth Floor
Boston, MA 02110
Phone +1-617-542-5942
Fax +1-617-542-2652 ex. 56
signature.asc
Description: OpenPGP digital signature
- [GNU-linux-libre] Help users to verify their downloads, Donald Robertson, 2018/06/18
- Re: [GNU-linux-libre] Help users to verify their downloads, Ludovic Courtès, 2018/06/20
- Re: [GNU-linux-libre] Help users to verify their downloads,
Donald Robertson <=
- Re: [GNU-linux-libre] Help users to verify their downloads, Denis 'GNUtoo' Carikli, 2018/06/24
- Re: [GNU-linux-libre] Help users to verify their downloads, Dmitry Samoyloff, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, bill-auger, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, Jean Louis, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, bill-auger, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, Jean Louis, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, Patrick McDermott, 2018/06/25
- Re: [GNU-linux-libre] Help users to verify their downloads, Jean Louis, 2018/06/26
Re: [GNU-linux-libre] Help users to verify their downloads, Patrick McDermott, 2018/06/25