[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Packaging packages with GPG signed source archives

From: ng0
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 10:00:58 +0000

Arun Isaac <address@hidden> writes:

> [ Unknown signature status ]
>> I think the procedure is: a packager verifies the source and that's it.
>> Since a package has a hash of the source, we can be sure that the source
>> wasn't changed since it was packaged, so if we find that a package has
>> a compromised source, we can blame the packager.
> Ah, that sounds good enough. Still, for the sake of completion, it would
> be nice for Guix to have support for verifying GPG signed source
> archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified
> GPG signatures before building.

There is some portion of the Guix code which gets verified this way
(checking/verifying the source of guix itself i think and the gnu
importer), if you think this should be implemented for every case where
a gpg key is available, we should discuss it here.
For non-prism friendly talk find me on

reply via email to

[Prev in Thread] Current Thread [Next in Thread]