[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Packaging packages with GPG signed source archives
From: |
Ludovic Courtès |
Subject: |
Re: Packaging packages with GPG signed source archives |
Date: |
Fri, 02 Sep 2016 14:14:38 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
ng0 <address@hidden> skribis:
> Ludovic Courtès <address@hidden> writes:
>
>> Hi,
>>
>> ng0 <address@hidden> skribis:
>>
>>> On the subject of git repos, I do not understand enough of the
>>> git-download.scm at the moment to add this myself, but why don't we have
>>> git-fsck in it as default?
>>
>> Dunno; what would it add?
>>
>> Ludo’.
>
> I don't understand enough of it, I only know someone else added it to
> some project I contribute to.
Guix ‘origin’ forms store the expected SHA256 of the checkout. So
everytime we do a Git checkout, guix-daemon explicitly makes sure the
the checkout contents match the given SHA256. IOW, we already have
integrity checks built in Guix. For this reason, I think ‘git fsck’
wouldn’t provide any additional guarantee.
Hope this makes sense!
Ludo’.