Ludovic Courtès <l...@gnu.org> writes: > Hi, > > Arun Isaac <arunis...@systemreboot.net> skribis: > >> When you are building a package from source, the Parabola build system >> verifies the GPG signature of the source archive if the developer's key >> is in your keyring. Else, it raises an error and asks you to get the >> required key manually. There is also an option that tells the build >> system to automatically fetch the key if it is not in your keyring. > > ‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise > packagers are expected to authenticate tarballs by themselves, as much > as possible (usually, I guess we often use a TOFU-style model because > that’s often the best one can do.) > > An improvement that was proposed earlier is to store in package recipes > the fingerprint of the OpenPGP key a package was checked against. That > would force packagers to formally specify what they did, and would allow > us to have tools that double-check; IOW, it could be thought of as TOFU > at the scale of our community, instead of per-packager: > > https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html > > Help in this area is very much welcome! :-) > > (That said, more and more software is distributed via Git rather than as > tarballs, and most repos are unsigned; even if they were, there are > basically no tools to meaningfully authenticate a Git checkout…) > > Ludo’. >
On the subject of git repos, I do not understand enough of the git-download.scm at the moment to add this myself, but why don't we have git-fsck in it as default? -- ng0 For non-prism friendly talk find me on http://www.psyced.org
