GNU bug report logs - #22883
Trustable "guix pull"

Previous Next

Package: guix;

Reported by: Christopher Allan Webber <cwebber <at> dustycloud.org>

Date: Wed, 2 Mar 2016 18:05:02 UTC

Severity: serious

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Werner Koch <wk <at> gnupg.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 22883 <at> debbugs.gnu.org, Justus Winter <justus <at> gnupg.org>, neal <at> walfield.org
Subject: bug#22883: Trustable "guix pull"
Date: Sun, 05 Jun 2016 09:51:45 +0200

On Sun,  5 Jun 2016 00:27, ludo <at> gnu.org said:

> cannot or shouldn’t try to guess what’s “best”, IMO.  So in this case,
> we keep the default names, ‘gpg2’ and ‘gpgv2’.
>
> Do you think we should rename those files?

Given that Guix is a new distro you should really try to get rid of 1.4
and only use 2.1.  For Windows we use the name "gpg" for a long time now
and there is a configure option --enable-gpg2-is-gpg to make it easier.

> We sign commits and it’s wonderful; now all we need is tools to actually
> use those signatures to authenticate checkouts.  :-)

Right - Although I sign my commits,e other GnuPG hackers don't do it,
and thus for me there is no strong need to verify the commits. But we
should have these tools.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */
This bug report was last modified 5 years and 53 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.