From 8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Fri, 23 Jun 2017 09:24:58 +0200 Subject: doc: Encourage signature verification. * doc/contributing.texi (Submitting Patches): Remind contributors to verify cryptographic signatures. --- doc/contributing.texi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/contributing.texi b/doc/contributing.texi index 925c584e42..0073f24518 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -333,6 +333,12 @@ distribution to make transverse changes such as applying security updates for a given software package in a single place and have them affect the whole system---something that bundled copies prevent. +@item +If the authors of the packaged software provide a cryptographic +signature for the release tarball, make an effort to verify the +authenticity of the archive. For a detached GPG signature file this +would be done with the @code{gpg --verify} command. + @item Take a look at the profile reported by @command{guix size} (@pxref{Invoking guix size}). This will allow you to notice references -- cgit v1.2.3