Re: Checking signatures on source tarballs

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking signatures on source tarballs

From:	Alex Vong
Subject:	Re: Checking signatures on source tarballs
Date:	Sat, 10 Oct 2015 15:22:12 +0800

> What you suggest would be perfect but, if I understand it correctly,
> it’s far from reality.  There’s not a single project I know of that
> publishes the list of public keys authorized to sign its tarballs.  Even
> if they did, we’d need a way to authenticate that list.
>
I think <https://www.kernel.org/signature.html> has listed all their
public keys used to sign their releases. This seems to be quite a neat
way of doing things. But you're right that there is no easy way to
authenticate that list.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Checking signatures on source tarballs, (continued)
- [PATCH 1/4] emacs: Add 'guix-devel-with-definition'., Alex Kost, 2015/10/08
  - Re: [PATCH 1/4] emacs: Add 'guix-devel-with-definition'., Ludovic Courtès, 2015/10/08

Prev by Date: [PATCH 2/2] gnu: bspwm: New variable.
Next by Date: Re: [PATCH] build: container: Fix call-with-clean-exit.
Previous by thread: Re: Checking signatures on source tarballs
Next by thread: Re: Checking signatures on source tarballs
Index(es):
- Date
- Thread