[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signed archives
|
From: |
Nikita Karetnikov |
|
Subject: |
Re: Signed archives |
|
Date: |
Thu, 20 Feb 2014 13:54:27 +0400 |
More questions:
1. Will hydra.gnu.org serve only signed .narinfo files?
2. If not, how can one opt out of verifying while using ‘guix
substitute-binary’? Should we add an option to ‘guix package’ and
‘guix build’?
3. How does a user get Hydra’s public key?
4. Will the entire cache be signed with a single key? (Mark, would you
like to add something?)
5. When do we want to verify the .narinfo file? Can it be done in
‘read-narinfo’? Similarly, should we sign and base64-encode in
‘write-narinfo’?
6. Where should ‘guix substitute-binary’ look for a keypair?
7. How do we determine that a file is signed with a trusted key? What
if we don’t have the needed public key? Does it mean we miss the
right one, or is it a MITM attack?
pgpZk3_PHYbvl.pgp
Description: PGP signature
- Re: Signed archives, Nikita Karetnikov, 2014/02/03
- Re: Signed archives, Ludovic Courtès, 2014/02/04
- Re: Signed archives,
Nikita Karetnikov <=
- Re: Signed archives, Ludovic Courtès, 2014/02/21
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/27
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/27
- Re: Signed archives (preliminary patch), Mark H Weaver, 2014/02/28
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/28
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/28
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/28
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/28
- Applying the GPG web-of-trust to Guix (was Re: Signed archives), Mark H Weaver, 2014/02/21
- Re: Applying the GPG web-of-trust to Guix (was Re: Signed archives), Ludovic Courtès, 2014/02/21