[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Packaging packages with GPG signed source archives

From: ng0
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 21:53:07 +0000

Ludovic Courtès <address@hidden> writes:

> Hi,
> Arun Isaac <address@hidden> skribis:
>> When you are building a package from source, the Parabola build system
>> verifies the GPG signature of the source archive if the developer's key
>> is in your keyring. Else, it raises an error and asks you to get the
>> required key manually. There is also an option that tells the build
>> system to automatically fetch the key if it is not in your keyring.
> ‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise
> packagers are expected to authenticate tarballs by themselves, as much
> as possible (usually, I guess we often use a TOFU-style model because
> that’s often the best one can do.)
> An improvement that was proposed earlier is to store in package recipes
> the fingerprint of the OpenPGP key a package was checked against.  That
> would force packagers to formally specify what they did, and would allow
> us to have tools that double-check; IOW, it could be thought of as TOFU
> at the scale of our community, instead of per-packager:
> Help in this area is very much welcome!  :-)
> (That said, more and more software is distributed via Git rather than as
> tarballs, and most repos are unsigned; even if they were, there are
> basically no tools to meaningfully authenticate a Git checkout…)
> Ludo’.

On the subject of git repos, I do not understand enough of the
git-download.scm at the moment to add this myself, but why don't we have
git-fsck in it as default?

For non-prism friendly talk find me on

reply via email to

[Prev in Thread] Current Thread [Next in Thread]