[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Distributed verification of release tarballs using Guix? (was Re: Releas

From: Mark H Weaver
Subject: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)
Date: Sun, 16 Jun 2019 03:48:16 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)

Hi Ludovic,

Ludovic Courtès <address@hidden> writes:
> What would you think of releasing ‘stable-2.2’ as 2.2.5?

I think it's a fine idea.

> It’s great if you can do it, Mark, but otherwise I can do it.

Regrettably, Guile 2.2 has become too heavy to build on the only machine
in my possession that I have any trust in.  I don't have a machine that
I consider sufficiently trustworthy to produce build outputs for wider
distribution.  I'm not sure that any of us do.

To mitigate the risk that a compromised development machine could be
used to attack others, I propose that we adopt a practice of distributed
verification of release tarballs.  We would publish code that uses Guix
to produce the release tarball deterministically, and put out a call for
volunteers to generate the tarball and post signed declarations
containing the hash of the resulting tarball.  After we have received
several such declarations, we can sign and publish the official tarball.

What do you think?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]