Re: Checking signatures on source tarballs

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking signatures on source tarballs

From:	Ludovic Courtès
Subject:	Re: Checking signatures on source tarballs
Date:	Thu, 08 Oct 2015 13:44:54 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

address@hidden (Ludovic Courtès) skribis:

> Even for GNU, we’d have to ask the FSF, and obviously the set of
> authorized keys for each package keeps changing.  So we’d need the FSF
> to provide us with a database/server to answer questions such as “which
> public keys could sign for GNU Foo at this date?” in a secure way.

Actually I see that GSRC already maintains per-package keyrings.

How is this maintained, Brandon?  That is, where do you get information
on which keys to put in the keyring, etc.?

Thanks,
Ludo’.

PS: For context, see the thread starting at
    <https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00115.html>.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'., (continued)

Prev by Date: Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'.
Next by Date: Re: [PATCH 2/4] emacs: Add 'guix-devel-download-package-source'.
Previous by thread: Re: Checking signatures on source tarballs
Next by thread: Re: Checking signatures on source tarballs
Index(es):
- Date
- Thread