[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Securing the software distribution chain

From: Efraim Flashner
Subject: Re: Securing the software distribution chain
Date: Tue, 25 Aug 2020 13:01:00 +0300

On Mon, Aug 24, 2020 at 04:36:22PM +0200, Ludovic Courtès wrote:
> Hi!
> Justus Winter <> skribis:
> > Ludovic Courtès <> writes:
> [...]
> We can introduce signature verification in (guix download): every time
> code is downloaded and signature metadata is available, we verify its
> signature.  Unfortunately, I’m afraid this is likely to lead to lots of
> false positives, and in particular failure to retrieve the OpenPGP key.
> WDYT?  Where would you integrate that?

Debian does sometimes add a public gpg key or the tarball signature
inside their debian folder. Not exactly sure how that would map for us

Efraim Flashner   <>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]