[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Packaging packages with GPG signed source archives
|
From: |
Arun Isaac |
|
Subject: |
Re: Packaging packages with GPG signed source archives |
|
Date: |
Wed, 31 Aug 2016 13:17:57 +0530 |
|
User-agent: |
mu4e 0.9.16; emacs 24.5.1 |
> I think the procedure is: a packager verifies the source and that's it.
> Since a package has a hash of the source, we can be sure that the source
> wasn't changed since it was packaged, so if we find that a package has
> a compromised source, we can blame the packager.
Ah, that sounds good enough. Still, for the sake of completion, it would
be nice for Guix to have support for verifying GPG signed source
archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified
GPG signatures before building.
signature.asc
Description: PGP signature
- Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Alex Kost, 2016/08/31
- Re: Packaging packages with GPG signed source archives,
Arun Isaac <=
- Re: Packaging packages with GPG signed source archives, ng0, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Leo Famulari, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Arun Isaac, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Ludovic Courtès, 2016/08/31
- Re: Packaging packages with GPG signed source archives, ng0, 2016/08/31
- Re: Packaging packages with GPG signed source archives, Troy Sankey, 2016/08/31