Ludovic Courtès <[email protected]> writes: > Hello, > > Simen Endsjø <[email protected]> writes: > >> The Codeberg pull request template states we should "Verify >> cryptographic signature provided by upstream.", but what does this mean >> for git repositories? There is no link to further documentation for this >> checkpoint. > > Right, we should improve the doc. Most of the time, that means checking > the signature on the release tag.
Couldn't that be automated? Or is it already? If the PGP or SSH public key of upstream's is saved a comparison could be made automatically, assuming guix download a package using the git protocol (or some other way that preserves the git tag signature validity). Although I'm not I sure I see exactly which threat this automated checking would actually protect us from, since the hash of the tarballs are checked too. Only protect us from Guix packagers being fooled by a fake upstream release? That leaves a non-deniable track record around, so I'm not sure how much of a concern this is. /Simon
signature.asc
Description: PGP signature
