Re: Suggest another way of importing GNU Guix GPG key

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggest another way of importing GNU Guix GPG key

From:	Giovanni Biscuolo
Subject:	Re: Suggest another way of importing GNU Guix GPG key
Date:	Sun, 30 Jun 2019 11:44:04 +0200

Hello Guix!

Alex Vong <address@hidden> writes:

> One solution would be to download the keyring from
> <https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
> the following way:
>
>   $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig 
> guix-1.0.1.tar.gz
>

Correct, the quick and "dirty" workaround is **to stop using the SKS
network** and warn Guix users to **manually download** certificates

This means we should quckly patch Guix manual: I've no time to propose a
patch today, I'll work on this tomorrow

We also nees to address this for **all** guix contributors: we require a
GPG signed commit, so each and every contributor/developer should
understand the risks of using SKS network and apply current proposed
workarounds: can we state this in maintenance.git/HACKING?

We sould act qulckly, IMHO

Thanks! Gio'

[...]

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Suggest another way of importing GNU Guix GPG key, dftxbs3e, 2019/06/29
- Re: Suggest another way of importing GNU Guix GPG key, Alex Vong, 2019/06/29
  - Re: Suggest another way of importing GNU Guix GPG key, Christopher Lemmer Webber, 2019/06/29
  - Re: Suggest another way of importing GNU Guix GPG key, Giovanni Biscuolo <=

Prev by Date: Re: Packaging FreeCAD
Next by Date: Re: BTRFS, LVM, LUKS
Previous by thread: Re: Suggest another way of importing GNU Guix GPG key
Next by thread: BTRFS, LVM, LUKS
Index(es):
- Date
- Thread