bug#42162: Recovering source tarballs

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#42162: Recovering source tarballs

From:	Ludovic Courtès
Subject:	bug#42162: Recovering source tarballs
Date:	Wed, 22 Jul 2020 12:28:50 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

Hello!

zimoun <zimon.toutoune@gmail.com> skribis:

> On Tue, 21 Jul 2020 at 23:22, Ludovic Courtès <ludo@gnu.org> wrote:
>
>>>> >>   • If we no longer deal with tarballs but upstreams keep signing
>>>> >>     tarballs (not raw directory hashes), how can we authenticate our
>>>> >>     code after the fact?
>>>> >
>>>> > Does Guix automatically authenticate code using signed tarballs?
>>>>
>>>> Not automatically; packagers are supposed to authenticate code when they
>>>> add a package (‘guix refresh -u’ does that automatically).
>>>
>>> So I miss the point of having this authentication information in the
>>> future where upstream has disappeared.
>>
>> What I meant above, is that often, what we have is things like detached
>> signatures of raw tarballs, or documents referring to a tarball hash:
>>
>>   https://sympa.inria.fr/sympa/arc/swh-devel/2016-07/msg00009.html
>
> I still miss why it matters to store detached signature of raw tarballs.

I’m not saying we (Guix) should store signatures; I’m just saying that
developers typically sign raw tarballs.  It’s a general statement to
explain why storing or being able to reconstruct tarballs matters.

Thanks,
Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#42162: Recovering source tarballs, (continued)

Prev by Date: bug#41715: The program '/gnu/store/foobar/compute-guix-derivation' failed to compute the derivation for guix
Next by Date: bug#42173: [PATCH 2/2] services: nix: Fix sandbox.
Previous by thread: bug#42162: Recovering source tarballs
Next by thread: bug#42162: Recovering source tarballs
Index(es):
- Date
- Thread