On Sun, Jun 30, 2019 at 11:44:04AM +0200, Giovanni Biscuolo wrote: > This means we should quckly patch Guix manual: I've no time to propose a > patch today, I'll work on this tomorrow > > We also nees to address this for **all** guix contributors: we require a > GPG signed commit, so each and every contributor/developer should > understand the risks of using SKS network and apply current proposed > workarounds: can we state this in maintenance.git/HACKING? > > We sould act qulckly, IMHO
This is also being discussed privately with the Guix maintainers. I expect to push an update for the manual and HACKING today. PGP signatures in the context of `guix refresh` will become worse than useless without either 1) changes in upstream GnuPG or 2) if the key holders personally upload their keys to <keys.openpgp.org>. We might need to remove the signature verification feature entirely.
signature.asc
Description: PGP signature
