Simon Josefsson via "Development of GNU Guix and the GNU System distribution." <[email protected]> writes:
> It is an added feature if Guix had some policy to REQUIRE that source > code is also available on some third-party long-term archival site, > since this makes it harder to introduce deniable corruption through a > git server compromise. SHA1 is broken, and Git-SHA256 rarely used, so > this could matter. I think this is bit problematic unless we reach a deal with *some* archive that would guarantee archival for our needs. A single data-point, I tried to archive few of my packages to SWH, it is about a week, and they still are not archived. So this requirement seems problematic unless we provide an actually working way to do the archival. Tomas -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
signature.asc
Description: PGP signature
