Hello Guix! Alex Vong <alexvong1...@gmail.com> writes:
> One solution would be to download the keyring from > <https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in > the following way: > > $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig > guix-1.0.1.tar.gz > Correct, the quick and "dirty" workaround is **to stop using the SKS network** and warn Guix users to **manually download** certificates This means we should quckly patch Guix manual: I've no time to propose a patch today, I'll work on this tomorrow We also nees to address this for **all** guix contributors: we require a GPG signed commit, so each and every contributor/developer should understand the risks of using SKS network and apply current proposed workarounds: can we state this in maintenance.git/HACKING? We sould act qulckly, IMHO Thanks! Gio' [...] -- Giovanni Biscuolo Xelera IT Infrastructures
signature.asc
Description: PGP signature
