|
|
Subscribe / Log in / New account

GNU Guix 1.2.0 released

GNU Guix 1.2.0 released

Posted Nov 24, 2020 13:51 UTC (Tue) by pabs (subscriber, #43278)
In reply to: GNU Guix 1.2.0 released by civodul
Parent article: GNU Guix 1.2.0 released

Debian authenticates both binaries and source via the same mechanism: OpenPGP signed Release files then a hash chain: Release -> Packages/Sources -> .deb (binary) / .dsc (source).

to post comments

GNU Guix 1.2.0 released

Posted Nov 24, 2020 14:28 UTC (Tue) by jak90 (subscriber, #123821) [Link] (1 responses)

While Debian publishes and signs all the sources that lead to packaged software, there's often no clear link how the "upstream" archive is procured (especially when upstream has been long dead or is exclusively a VCS), and how a wholesome collection of source/binary packages bundled as a distribution and signed by the project's master key correlates to the individual maintainer's package version history.

GNU Guix 1.2.0 released

Posted Nov 25, 2020 12:02 UTC (Wed) by pabs (subscriber, #43278) [Link]

It seems like the same is true of any distribution.

Debian's solution to this problem is to include upstream signing keys in the source package in the debian.tar.gz component and the upstream signature (orig.tar.gz.asc) alongside their tarball (orig.tar.gz).

I'm not sure I understood what you were getting at in the second half of your sentence.

GNU Guix 1.2.0 released

Posted Nov 25, 2020 13:36 UTC (Wed) by civodul (guest, #58311) [Link] (3 responses)

The analogy would be: Debian stores 'debian/rules' and similar files under version control; when one clones or pulls from that repository, the checkout is not authenticated.

GNU Guix 1.2.0 released

Posted Nov 25, 2020 22:48 UTC (Wed) by ballombe (subscriber, #9523) [Link] (2 responses)

> Debian stores 'debian/rules' and similar files under version control;
Well but Debian does not...

GNU Guix 1.2.0 released

Posted Nov 26, 2020 18:50 UTC (Thu) by jak90 (subscriber, #123821) [Link] (1 responses)

You're right about that, but the infrastructure would be there. Debian has VCS storage for developers on Salsa and has supported a Git-based format for source packages since 2011.
https://wiki.debian.org/GitSrc
The last question actually touches on the same point as this, although just regarding the integrity of upstream.

GNU Guix 1.2.0 released

Posted Nov 27, 2020 0:05 UTC (Fri) by pabs (subscriber, #43278) [Link]

Salsa is optional and orthogonal to the Debian archive. In practice the Git-based source package format has never been used and isn't allowed in the Debian archive because the Debian ftp-masters do not want to have to review the entire git history for new packages. Another git related thing Debian has is Dgit, which is similar to Launchpad's bzr stuff in that it imports the source packages from the archive into git. It doesn't have much adoption though.

https://browse.dgit.debian.org/
https://wiki.debian.org/DgitFAQ
https://salsa.debian.org/dgit-team/dgit


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds