I was looking at the installation video from Laura (not yet public) and wondered about that:
We just download the installation script: $ wget https://.../guix-install.sh Then we go on directly executing that script. Shouldn't that be save-garded by a PGP-signature too? Because if it is not, the user could be tricked into a script that downloads a "bad" Guix installation tarball. That's what we are always criticising about others wget-scripts that install whatever to the user. WDYT? Björn
pgp8GVCKedtnu.pgp
Description: OpenPGP digital signature
