Hi! Andreas Enge <andr...@enge.fr> skribis:
> Am Wed, Apr 10, 2024 at 03:57:20PM +0200 schrieb Ludovic Courtès: >> I think we should gradually move to building everything from >> source—i.e., fetching code from VCS and adding Autoconf & co. as inputs. > > the big drawback of this approach is that we would lose maintainers' > signatures, right? Yes. But as Attila wrote, one can hope that they provide a way to authenticate at least part of their VCS history, for example with signed tags. (Ideally everyone would use ‘guix git authenticate’ of course.) > Would the suggestion to use signed tarballs, but to autoreconf the > generated files, not be a better compromise between trusting and > distrusting upstream maintainers? IMO starting from an authenticated VCS checkout is clearer. Ludo’.