Ludovic Courtès writes:
> ng0 skribis:
>
>> Ludovic Courtès writes:
>>
>>> Hi,
>>>
>>> ng0 skribis:
>>>
On the subject of git repos, I do not understand enough of the
git-download.scm at the moment to add this myself, but why don't we have
git-fsck in it as default?
>>>
>>> Dunn
ng0 skribis:
> Ludovic Courtès writes:
>
>> Hi,
>>
>> ng0 skribis:
>>
>>> On the subject of git repos, I do not understand enough of the
>>> git-download.scm at the moment to add this myself, but why don't we have
>>> git-fsck in it as default?
>>
>> Dunno; what would it add?
>>
>> Ludo’.
>
> I
Ludovic Courtès writes:
> Hi,
>
> ng0 skribis:
>
>> On the subject of git repos, I do not understand enough of the
>> git-download.scm at the moment to add this myself, but why don't we have
>> git-fsck in it as default?
>
> Dunno; what would it add?
>
> Ludo’.
I don't understand enough of it,
Hi,
ng0 skribis:
> On the subject of git repos, I do not understand enough of the
> git-download.scm at the moment to add this myself, but why don't we have
> git-fsck in it as default?
Dunno; what would it add?
Ludo’.
Troy Sankey skribis:
> Quoting Ludovic Courtès (2016-08-31 16:21:49)
>> (That said, more and more software is distributed via Git rather than as
>> tarballs, and most repos are unsigned; even if they were, there are
>> basically no tools to meaningfully authenticate a Git checkout…)
>
> In that c
Quoting Ludovic Courtès (2016-08-31 16:21:49)
> (That said, more and more software is distributed via Git rather than as
> tarballs, and most repos are unsigned; even if they were, there are
> basically no tools to meaningfully authenticate a Git checkout…)
In that case, not all hope is lost---I'v
Ludovic Courtès writes:
> Hi,
>
> Arun Isaac skribis:
>
>> When you are building a package from source, the Parabola build system
>> verifies the GPG signature of the source archive if the developer's key
>> is in your keyring. Else, it raises an error and asks you to get the
>> required key man
Hi,
Arun Isaac skribis:
> When you are building a package from source, the Parabola build system
> verifies the GPG signature of the source archive if the developer's key
> is in your keyring. Else, it raises an error and asks you to get the
> required key manually. There is also an option that
> Does Parabola have some sort of keyring that all the upstream keys go
> into? Or did I misinterpret your suggestion? I'm not familiar with the
> Parabola package management system.
No, Parabola does not collect upstream keys into any centralized keyring.
When you are building a package from so
On Wed, Aug 31, 2016 at 01:17:57PM +0530, Arun Isaac wrote:
Alex Kost wrote:
> > I think the procedure is: a packager verifies the source and that's it.
> > Since a package has a hash of the source, we can be sure that the source
> > wasn't changed since it was packaged, so if we find that a packag
Arun Isaac writes:
> [ Unknown signature status ]
>
>> I think the procedure is: a packager verifies the source and that's it.
>> Since a package has a hash of the source, we can be sure that the source
>> wasn't changed since it was packaged, so if we find that a package has
>> a compromised sou
> I think the procedure is: a packager verifies the source and that's it.
> Since a package has a hash of the source, we can be sure that the source
> wasn't changed since it was packaged, so if we find that a package has
> a compromised source, we can blame the packager.
Ah, that sounds good eno
Arun Isaac (2016-08-31 08:37 +0300) wrote:
> I am trying to package a package that provides a GPG signed source
> archive. Is there any way to get Guix to verify this signature, by say,
> specifying it in the 'origin' object of the 'source' field of the
> package? What is the standard way this is
13 matches
Mail list logo
