Hi! kias...@disroot.org skribis:
> Authenticate a tarball through a signed tag in a git repository (with > reproducible builds). > > Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/ > > Source code: https://github.com/kpcyrd/auth-tarball-from-git > > Pretty interesting, could be useful for guix. The example here is about downloading github.com-generated tarballs, which we don’t do in Guix for other reasons. The kind of tarballs that Guix packages refer to are not autogenerated; they contain more than what the VCS has. Thus, they’re also more difficult to authenticate if they’re not signed. Thanks for sharing! Ludo’.
