Re: Packaging packages with GPG signed source archives

[ng0]

Ludovic Courtès <address@hidden> writes:

> Hi,
>
> Arun Isaac <address@hidden> skribis:
>
>> When you are building a package from source, the Parabola build system
>> verifies the GPG signature of the source archive if the developer's key
>> is in your keyring. Else, it raises an error and asks you to get the
>> required key manually. There is also an option that tells the build
>> system to automatically fetch the key if it is not in your keyring.
>
> ‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise
> packagers are expected to authenticate tarballs by themselves, as much
> as possible (usually, I guess we often use a TOFU-style model because
> that’s often the best one can do.)
>
> An improvement that was proposed earlier is to store in package recipes
> the fingerprint of the OpenPGP key a package was checked against.  That
> would force packagers to formally specify what they did, and would allow
> us to have tools that double-check; IOW, it could be thought of as TOFU
> at the scale of our community, instead of per-packager:
>
>   https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html
>
> Help in this area is very much welcome!  :-)
>
> (That said, more and more software is distributed via Git rather than as
> tarballs, and most repos are unsigned; even if they were, there are
> basically no tools to meaningfully authenticate a Git checkout…)
>
> Ludo’.
>

On the subject of git repos, I do not understand enough of the
git-download.scm at the moment to add this myself, but why don't we have
git-fsck in it as default?

-- 
ng0
For non-prism friendly talk find me on http://www.psyced.org