rekado pushed a commit to branch master
in repository guix.
commit 8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a
Author: Ricardo Wurmus <[email protected]>
Date: Fri Jun 23 09:24:58 2017 +0200
doc: Encourage signature verification.
* doc/contributing.texi (Submitting Patches): Remind contributors to verify
cryptographic signatures.
---
doc/contributing.texi | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/doc/contributing.texi b/doc/contributing.texi
index 925c584..0073f24 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -334,6 +334,12 @@ updates for a given software package in a single place and
have them
affect the whole system---something that bundled copies prevent.
@item
+If the authors of the packaged software provide a cryptographic
+signature for the release tarball, make an effort to verify the
+authenticity of the archive. For a detached GPG signature file this
+would be done with the @code{gpg --verify} command.
+
+@item
Take a look at the profile reported by @command{guix size}
(@pxref{Invoking guix size}). This will allow you to notice references
to other packages unwillingly retained. It may also help determine
