[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Securing the software distribution chain
From: |
Efraim Flashner |
Subject: |
Re: Securing the software distribution chain |
Date: |
Tue, 25 Aug 2020 13:01:00 +0300 |
On Mon, Aug 24, 2020 at 04:36:22PM +0200, Ludovic Courtès wrote:
> Hi!
>
> Justus Winter <teythoon@avior.uberspace.de> skribis:
>
> > Ludovic Courtès <ludo@gnu.org> writes:
>
> [...]
>
> We can introduce signature verification in (guix download): every time
> code is downloaded and signature metadata is available, we verify its
> signature. Unfortunately, I’m afraid this is likely to lead to lots of
> false positives, and in particular failure to retrieve the OpenPGP key.
>
> WDYT? Where would you integrate that?
>
Debian does sometimes add a public gpg key or the tarball signature
inside their debian folder. Not exactly sure how that would map for us
though.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature