[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Packaging packages with GPG signed source archives

From: Ludovic Courtès
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 22:21:49 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)


Arun Isaac <address@hidden> skribis:

> When you are building a package from source, the Parabola build system
> verifies the GPG signature of the source archive if the developer's key
> is in your keyring. Else, it raises an error and asks you to get the
> required key manually. There is also an option that tells the build
> system to automatically fetch the key if it is not in your keyring.

‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise
packagers are expected to authenticate tarballs by themselves, as much
as possible (usually, I guess we often use a TOFU-style model because
that’s often the best one can do.)

An improvement that was proposed earlier is to store in package recipes
the fingerprint of the OpenPGP key a package was checked against.  That
would force packagers to formally specify what they did, and would allow
us to have tools that double-check; IOW, it could be thought of as TOFU
at the scale of our community, instead of per-packager:

Help in this area is very much welcome!  :-)

(That said, more and more software is distributed via Git rather than as
tarballs, and most repos are unsigned; even if they were, there are
basically no tools to meaningfully authenticate a Git checkout…)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]