bug#22883: Trustable "guix pull"

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: Trustable "guix pull"

From:	Mike Gerwitz
Subject:	bug#22883: Trustable "guix pull"
Date:	Sat, 04 Jun 2016 21:43:29 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux)

On Sat, Jun 04, 2016 at 18:19:31 +0200, Werner Koch wrote:
> There are no issues with l10n because _all_ scripts SHOULD use gpg with
> the options --status-fd and --with-colons.  That output creates a well
> defined API and we try very hard never to break it.
> [...]
> I have never looked into git to check whether git correctly calls gpg
> to verify signatures.  That should eventually be done.

A quick glance (latest master, gpg-interface.c:208 verify_signed_buffer):

It invokes `gpg --status-fd=1 --verify FILE -`, where FILE is a
signature written to a temporary file for the sake of invoking
GPG.  It checks for a non-zero exit code and GOODSIG:

  ret |= !strstr(pbuf->buf, "\n[GNUPG:] GOODSIG ");

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#22883: Trustable "guix pull", Werner Koch, 2016/06/04
- bug#22883: Trustable "guix pull", Ludovic Courtès, 2016/06/04
  - bug#22883: Trustable "guix pull", Werner Koch, 2016/06/05
    - bug#22883: Trustable "guix pull", Leo Famulari, 2016/06/06
    - bug#22883: gpg2 vs. gpg, Ludovic Courtès, 2016/06/07
    - bug#22883: gpg2 vs. gpg, Werner Koch, 2016/06/07
    - bug#22883: gpg2 vs. gpg, ng0, 2016/06/07
- bug#22883: Trustable "guix pull", Mike Gerwitz <=

Prev by Date: bug#22883: Trustable "guix pull"
Next by Date: bug#22883: Trustable "guix pull"
Previous by thread: bug#22883: gpg2 vs. gpg
Next by thread: bug#23697: guix system reconfigure hangs, shows repl in messages
Index(es):
- Date
- Thread