Hi Simon,
Simon Josefsson <[email protected]> writes: > Would you consider adding SHA3-256 checksums to announcements too? Sure, that is no problem, especially if a script is already made for this, I wasn't aware of it. > Rutherther <[email protected]> writes: > >> Installation script: https://guix.gnu.org/guix-install.sh > ... >> All of these files have are signed at <link>.sig. They are all signed by >> Rutherther, you can get his public key from [1], then import it using >> “gpg --import”. > ... >> • SHA256 hashes > > The guix-install.sh script does not seem to have a *.sig file, nor is it > included in the SHA256 hash list. That is true. That is because the script tracks master of the Guix repository and we cannot be sure no one will change it in the following days. So we cannot include it in the SHA256 hash list as it is not 'part' of the release by itself. It having different hash afterwards is not a bug and it would be confusing to users if it was included in the list and changed. Generally the install script is improved even after the release, while parts of it are tied to the tarball, large part of it isn't. For example the /etc/profile.d/zzz-guix.sh lives in the script and might be changed. This is then used to improve it even throughout the time when there isn't any release. > Since this script is often ran by > root, I think it should have some security protection beyond WebPKI > https URL assurance. Maybe already tracked in some bug report? Still, > would be great to see improved for 1.5.0. I do not know of such an issue, feel free to create it. This would require serious rethinking on how to manage this script, though. Because automatic updates would no longer be possible. Thanks for your points, Rutherther > > /Simon
