Arun Isaac <arunis...@systemreboot.net> writes: > [ Unknown signature status ] > >> I think the procedure is: a packager verifies the source and that's it. >> Since a package has a hash of the source, we can be sure that the source >> wasn't changed since it was packaged, so if we find that a package has >> a compromised source, we can blame the packager. > > Ah, that sounds good enough. Still, for the sake of completion, it would > be nice for Guix to have support for verifying GPG signed source > archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified > GPG signatures before building.
There is some portion of the Guix code which gets verified this way (checking/verifying the source of guix itself i think and the gnu importer), if you think this should be implemented for every case where a gpg key is available, we should discuss it here. -- ng0 For non-prism friendly talk find me on http://www.psyced.org
