Hi, "Jodi Jodington (dev)" <[email protected]> writes:
> Dec 1, 2025 12:25:13 PM Vagrant Cascadian <[email protected]>: >> Admittedly, some of the practices of some of the guix committers >> make me >> cringe sometimes, e.g. notably the anti-pattern "just use guix download >> to get the *right* hash and commit that!" ... so there still is a >> lot of >> blind trust going on... > What would be the correct way to do it? I've always just used guix > download 😅 It's not that bad, it's similar to what we do when we use package importers that support verifying PGP signatures, and prompt us to download the missing keys; it's called trust on first use, or TOFU for short. And in some cases (e.g. 'git'), we don't currently have the support to validate the signatures of PGP signed commits, so it's not like you can do more than get the hash from 'guix download -g'. It'd be nice to add support to check git signatures with 'guix download -g'. -- Thanks, Maxim
