Hi, Arun Isaac <[email protected]> skribis:
> When you are building a package from source, the Parabola build system > verifies the GPG signature of the source archive if the developer's key > is in your keyring. Else, it raises an error and asks you to get the > required key manually. There is also an option that tells the build > system to automatically fetch the key if it is not in your keyring. ‘guix import’ and ‘guix refresh’ do that (when possible), and otherwise packagers are expected to authenticate tarballs by themselves, as much as possible (usually, I guess we often use a TOFU-style model because that’s often the best one can do.) An improvement that was proposed earlier is to store in package recipes the fingerprint of the OpenPGP key a package was checked against. That would force packagers to formally specify what they did, and would allow us to have tools that double-check; IOW, it could be thought of as TOFU at the scale of our community, instead of per-packager: https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00118.html Help in this area is very much welcome! :-) (That said, more and more software is distributed via Git rather than as tarballs, and most repos are unsigned; even if they were, there are basically no tools to meaningfully authenticate a Git checkout…) Ludo’.
