Hello! zimoun <zimon.touto...@gmail.com> skribis:
> On Tue, 21 Jul 2020 at 23:22, Ludovic Courtès <l...@gnu.org> wrote: > >>>> >> • If we no longer deal with tarballs but upstreams keep signing >>>> >> tarballs (not raw directory hashes), how can we authenticate our >>>> >> code after the fact? >>>> > >>>> > Does Guix automatically authenticate code using signed tarballs? >>>> >>>> Not automatically; packagers are supposed to authenticate code when they >>>> add a package (‘guix refresh -u’ does that automatically). >>> >>> So I miss the point of having this authentication information in the >>> future where upstream has disappeared. >> >> What I meant above, is that often, what we have is things like detached >> signatures of raw tarballs, or documents referring to a tarball hash: >> >> https://sympa.inria.fr/sympa/arc/swh-devel/2016-07/msg00009.html > > I still miss why it matters to store detached signature of raw tarballs. I’m not saying we (Guix) should store signatures; I’m just saying that developers typically sign raw tarballs. It’s a general statement to explain why storing or being able to reconstruct tarballs matters. Thanks, Ludo’.
