help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Packaging packages with GPG signed source archives


From: Leo Famulari
Subject: Re: Packaging packages with GPG signed source archives
Date: Wed, 31 Aug 2016 13:22:04 -0400
User-agent: Mutt/1.7.0 (2016-08-17)

On Wed, Aug 31, 2016 at 01:17:57PM +0530, Arun Isaac wrote:
Alex Kost wrote:
> > I think the procedure is: a packager verifies the source and that's it.
> > Since a package has a hash of the source, we can be sure that the source
> > wasn't changed since it was packaged, so if we find that a package has
> > a compromised source, we can blame the packager.
> 
> Ah, that sounds good enough. Still, for the sake of completion, it would
> be nice for Guix to have support for verifying GPG signed source
> archives. I used to run Parabola GNU/Linux, and its 'makepkg' verified
> GPG signatures before building.

There was a discussion about verifying signatures of GNU packages using
a GNU keyring, but it didn't end up happening. This would have enabled a
more trustworthy automatic update system for the GNU packages. It should
be in the guix-devel mailing list archive.

In my opinion, a limitation of verifying signatures automatically is
that the web of trust requires us (humans) to make sure the key
corresponds to the person or group that we intend to trust.

GnuPG will automatically download a missing key when verifying a
signature, but it's up to us to decide if the key is worth trusting.

As Alex said, Guix packagers verify signatures and then put tarball
hashes into package definitions. So, I bet that Guix users don't often
verify the signatures themselves; instead they choose to trust the
packagers, which is one reason we started signing all our Git commits.

Does Parabola have some sort of keyring that all the upstream keys go
into? Or did I misinterpret your suggestion? I'm not familiar with the
Parabola package management system.

By the way, we still have some work to do on a related topic:
https://bugs.gnu.org/22883

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]