[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tricking peer review
From: |
Ludovic Courtès |
Subject: |
Re: Tricking peer review |
Date: |
Mon, 18 Oct 2021 09:47:41 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hello,
Thiago Jung Bauermann <bauermann@kolabnow.com> skribis:
> I’ve been thinking lately that Guix {sh,c}ould have a new ’release-signing-
> keys’ field in the package record which would list the keys that are known
> to sign official releases of the package. Then Guix would check the tarball/
> git commit/git tag when downloading it. It would be an additional (and IMHO
> important) source of truth.
Yes, it’s been discussed a few times and I agree it’d be nice.
The difficulty here is that it’s “silent” metadata: it’s not used, or at
least not necessarily used as part of the download process. But maybe
that’s OK: we can have the download process check signatures when
possible.
Right now we rely on ‘guix refresh -u’ or contributors/reviewers do
perform this check.
> There are details that would need to be hashed out such as how to deal with
> revoked keys or whether to store the keys themselves on the Guix repo or
> anywhere else in Guix’s infrastructure, but I think it’s possible to arrive
> at a reasonable solution.
Perhaps a first step would be to download keys opportunistically.
We have (guix openpgp) which can be used to verify signatures without
taking revocation into account.
Thanks,
Ludo’.
- Re: Tricking peer review, (continued)
- Re: Tricking peer review, Liliana Marie Prikler, 2021/10/15
- Re: Tricking peer review, Ryan Prior, 2021/10/15
- Re: Tricking peer review, Ludovic Courtès, 2021/10/18
- Re: Tricking peer review, Ryan Prior, 2021/10/18
- Re: Tricking peer review, zimoun, 2021/10/19
- Re: Tricking peer review, Leo Famulari, 2021/10/20
- Re: Tricking peer review, zimoun, 2021/10/21
Re: Tricking peer review, Thiago Jung Bauermann, 2021/10/15
- Re: Tricking peer review,
Ludovic Courtès <=
Re: Tricking peer review, Ludovic Courtès, 2021/10/18
Re: Tricking peer review, zimoun, 2021/10/19
- Re: Tricking peer review, Ludovic Courtès, 2021/10/19
- Re: Tricking peer review, zimoun, 2021/10/19
- Incentives for review, Ludovic Courtès, 2021/10/19
- Re: Incentives for review, zimoun, 2021/10/19
- Re: Incentives for review, Ricardo Wurmus, 2021/10/19
- Re: Incentives for review, Christine Lemmer-Webber, 2021/10/19
- Re: Incentives for review, Joshua Branson, 2021/10/19
- Re: Incentives for review, Ludovic Courtès, 2021/10/21