[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: “Building a Secure Software Supply Chain with GNU Guix”
|
From: |
Ludovic Courtès |
|
Subject: |
Re: “Building a Secure Software Supply Chain with GNU Guix” |
|
Date: |
Mon, 04 Jul 2022 09:44:19 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) |
Hi,
bokr@bokr.com skribis:
> I think IWBN to have some kind of trust code come with that git output,
> like gpg's 1-5 but indicating how well the committer/signer trusts
> that using the code will *not* cause a problem.
>
> I would like it if every commit had to have a code like that.
I very much agree with what zimoun wrote: it’s very hard to assess the
security implications of a Guix commit (especially a commit that adds,
say, a 100K lines-of-code package), and we shouldn’t ask too much of
packagers.
Ludo’.
Re: “Building a Secure Software Supply Chain with GNU Guix”, Arun Isaac, 2022/07/19