|
From: | Tobias Geerinckx-Rice |
Subject: | Re: Guix git master reset |
Date: | Thu, 11 Mar 2021 11:20:26 +0100 |
Tobias Geerinckx-Rice 写道:
There was nothing wrong with the reverted commit; it was simply signedwith a different key than ‘guix pull’ expects.
To generalise: ‘guix pull’ already tries not to trust mirrors by independently verifying GPG commits, assuming you've pulled from an uncompromised repository once before.
Mirrors that cautiously refuse to update to a reset head offer no security advantage, but they will silently serve old (and possibly vulnerable) packages to users.
Kind regards, T G-R
signature.asc
Description: PGP signature
[Prev in Thread] | Current Thread | [Next in Thread] |