guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Tricking peer review

From: Ludovic Courtès
Subject: Re: Tricking peer review
Date: Mon, 18 Oct 2021 09:47:41 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) 
Hello,

Thiago Jung Bauermann <bauermann@kolabnow.com> skribis:

> I’ve been thinking lately that Guix {sh,c}ould have a new ’release-signing-
> keys’ field in the package record which would list the keys that are known 
> to sign official releases of the package. Then Guix would check the tarball/
> git commit/git tag when downloading it. It would be an additional (and IMHO 
> important) source of truth.

Yes, it’s been discussed a few times and I agree it’d be nice.

The difficulty here is that it’s “silent” metadata: it’s not used, or at
least not necessarily used as part of the download process.  But maybe
that’s OK: we can have the download process check signatures when
possible.

Right now we rely on ‘guix refresh -u’ or contributors/reviewers do
perform this check.

> There are details that would need to be hashed out such as how to deal with 
> revoked keys or whether to store the keys themselves on the Guix repo or 
> anywhere else in Guix’s infrastructure, but I think it’s possible to arrive 
> at a reasonable solution.

Perhaps a first step would be to download keys opportunistically.

We have (guix openpgp) which can be used to verify signatures without
taking revocation into account.

Thanks,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]