doc: Encourage signature verification.

* doc/contributing.texi (Submitting Patches): Remind contributors to verify cryptographic signatures.
author: Ricardo Wurmus <rekado@elephly.net> 2017-06-23 09:24:58 +0200
committer: Ricardo Wurmus <rekado@elephly.net> 2017-06-25 22:26:08 +0200
commit: 8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a (patch)
tree: 5da0d0347e50eb40df4ba82509522dcb10427d82 /doc
parent: 7ceb0a83e37d0c2164b944bb816783413fa6f9fa (diff)
download: patches-8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a.tar
patches-8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/contributing.texi b/doc/contributing.texi
index 925c584e42..0073f24518 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -334,6 +334,12 @@ updates for a given software package in a single place and have them
 affect the whole system---something that bundled copies prevent.
 
 @item
+If the authors of the packaged software provide a cryptographic
+signature for the release tarball, make an effort to verify the
+authenticity of the archive.  For a detached GPG signature file this
+would be done with the @code{gpg --verify} command.
+
+@item
 Take a look at the profile reported by @command{guix size}
 (@pxref{Invoking guix size}).  This will allow you to notice references
 to other packages unwillingly retained.  It may also help determine
author	Ricardo Wurmus <rekado@elephly.net>	2017-06-23 09:24:58 +0200
committer	Ricardo Wurmus <rekado@elephly.net>	2017-06-25 22:26:08 +0200
commit	8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a (patch)
tree	5da0d0347e50eb40df4ba82509522dcb10427d82 /doc
parent	7ceb0a83e37d0c2164b944bb816783413fa6f9fa (diff)
download	patches-8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a.tar patches-8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a.tar.gz