> I think the procedure is: a packager verifies the source and that's it. > Since a package has a hash of the source, we can be sure that the source > wasn't changed since it was packaged, so if we find that a package has > a compromised source, we can blame the packager.
Ah, that sounds good enough. Still, for the sake of completion, it would be nice for Guix to have support for verifying GPG signed source archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified GPG signatures before building.
signature.asc
Description: PGP signature
