GNU bug report logs - #32674
[PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 9 Sep 2018 20:45:02 UTC

Severity: normal

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Mike Gerwitz <mtg <at> gnu.org>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Vagrant Cascadian <vagrant <at> debian.org>, Mark H Weaver <mhw <at> netris.org>,
 guix-patches <at> gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.
Date: Sun, 09 Sep 2018 21:55:33 -0400

[Message part 1 (text/plain, inline)]
On Sun, Sep 09, 2018 at 22:43:35 +0200, Ludovic Courtès wrote:
> A significant difference compared to ‘gpg --verify’ is that it doesn’t
> check whether keys are expired or revoked; all that matters is whether
> the signature is valid and whether the signing key is in the specified
> keyring.  I think that’s what we want when checking the signature of a
> tarball or Git commit.

Agreed.  Git's use of `gpg --verify' is particularly annoying for this.

> Unfortunately the keybox format and tools are poorly documented, which
> is why I gave examples on how to do that in guix.texi.

Thank you!

> Feedback welcome!

LGTM.  Thanks for CC'ing.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 248 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.