Hi, Is the current scheme of authenticating Git checkouts [1] really compatible with the free software guidelines we hold so dear?
Here is my dilemma: I would like to deploy an experimental version of Guix by following the advice so kindly offered here [2] but hesitate to compromise on security. I cannot figure out how to add my own key [3] to the in-repo file .guix-authorizations [4] without asking an approved upstream committer to sign that commit in my own repository. The way I see it, such a shim transaction would also prevent me from tracking further upstream changes in my own branch because the shim would have to be rebased continually. I believe users should be able to extend the trust roots. Could we perhaps expand the present mechanism to merge the trusted keys from all channels? That would presumably include my own. Thanks! Kind regards Felix [1] https://guix.gnu.org/blog/2020/securing-updates/ [2] https://lists.gnu.org/archive/html/guix-devel/2023-05/msg00021.html [3] https://codeberg.org/lechner/juix/src/branch/history/.guix-authorizations [4] https://git.savannah.gnu.org/cgit/guix.git/tree/.guix-authorizations
