Re: Securing the software distribution chain

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Securing the software distribution chain

From:	Efraim Flashner
Subject:	Re: Securing the software distribution chain
Date:	Tue, 25 Aug 2020 13:01:00 +0300

On Mon, Aug 24, 2020 at 04:36:22PM +0200, Ludovic Courtès wrote:
> Hi!
> 
> Justus Winter <teythoon@avior.uberspace.de> skribis:
> 
> > Ludovic Courtès <ludo@gnu.org> writes:
> 
> [...]
> 
> We can introduce signature verification in (guix download): every time
> code is downloaded and signature metadata is available, we verify its
> signature.  Unfortunately, I’m afraid this is likely to lead to lots of
> false positives, and in particular failure to retrieve the OpenPGP key.
> 
> WDYT?  Where would you integrate that?
> 

Debian does sometimes add a public gpg key or the tarball signature
inside their debian folder. Not exactly sure how that would map for us
though.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Securing the software distribution chain, Ludovic Courtès, 2020/08/24
- Re: Securing the software distribution chain, Efraim Flashner <=

Prev by Date: Re: Linux-libre 5.8 and beyond
Next by Date: Re: Linux-libre 5.8 and beyond
Previous by thread: Re: Securing the software distribution chain
Next by thread: Improving CI throughput
Index(es):
- Date
- Thread