diff options
author | Ricardo Wurmus <rekado@elephly.net> | 2017-06-23 09:24:58 +0200 |
---|---|---|
committer | Ricardo Wurmus <rekado@elephly.net> | 2017-06-25 22:26:08 +0200 |
commit | 8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a (patch) | |
tree | 5da0d0347e50eb40df4ba82509522dcb10427d82 | |
parent | 7ceb0a83e37d0c2164b944bb816783413fa6f9fa (diff) | |
download | guix-8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a.tar.gz guix-8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a.zip |
doc: Encourage signature verification.
* doc/contributing.texi (Submitting Patches): Remind contributors to verify
cryptographic signatures.
-rw-r--r-- | doc/contributing.texi | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/contributing.texi b/doc/contributing.texi index 925c584e42..0073f24518 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -334,6 +334,12 @@ updates for a given software package in a single place and have them affect the whole system---something that bundled copies prevent. @item +If the authors of the packaged software provide a cryptographic +signature for the release tarball, make an effort to verify the +authenticity of the archive. For a detached GPG signature file this +would be done with the @code{gpg --verify} command. + +@item Take a look at the profile reported by @command{guix size} (@pxref{Invoking guix size}). This will allow you to notice references to other packages unwillingly retained. It may also help determine |