[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Packaging packages with GPG signed source archives
From: |
ng0 |
Subject: |
Re: Packaging packages with GPG signed source archives |
Date: |
Wed, 31 Aug 2016 21:53:07 +0000 |
Ludovic Courtès <address@hidden> writes:
> Hi,
>
> Arun Isaac <address@hidden> skribis:
>
>> When you are building a package from source, the Parabola build system
>> verifies the GPG signature of the source archive if the developer's key
>> is in your keyring. Else, it raises an error and asks you to get the
>> required key manually. There is also an option that tells the build
>> system to automatically fetch the key if it is not in your keyring.
>
> ‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise
> packagers are expected to authenticate tarballs by themselves, as much
> as possible (usually, I guess we often use a TOFU-style model because
> that’s often the best one can do.)
>
> An improvement that was proposed earlier is to store in package recipes
> the fingerprint of the OpenPGP key a package was checked against. That
> would force packagers to formally specify what they did, and would allow
> us to have tools that double-check; IOW, it could be thought of as TOFU
> at the scale of our community, instead of per-packager:
>
> https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html
>
> Help in this area is very much welcome! :-)
>
> (That said, more and more software is distributed via Git rather than as
> tarballs, and most repos are unsigned; even if they were, there are
> basically no tools to meaningfully authenticate a Git checkout…)
>
> Ludo’.
>
On the subject of git repos, I do not understand enough of the
git-download.scm at the moment to add this myself, but why don't we have
git-fsck in it as default?
--
ng0
For non-prism friendly talk find me on http://www.psyced.org
- Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Alex Kost, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, ng0, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Leo Famulari, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Ludovic Courtès, 2016/08/31
- Re: Packaging packages with GPG signed source archives,
ng0 <=
- Re: Packaging packages with GPG signed source archives, Troy Sankey, 2016/08/31