Leo Famulari writes: > On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote: >> Right now, when a user does a "guix pull", that pulls down the latest >> repository of code from git, which is kept in a tarball. Once you >> receive the latest code, this has some checks: what's the hash of each >> package, etc. > > A discussion worth having. But, let's merge this bug into > debbugs.gnu.org/22629. I'm not sure they should be merged, though they're related. That thread doesn't deal at all with security, though it provides some other good ideas. It even says: PS: I do not mention the issue of authenticating code here, which is obviously very important and deserves to be treated separately. However I have no objections to merging them if others think we should > Also, we should read "The Update Framework" as requested there. This? https://theupdateframework.github.io/ There seem to be quite a few papers there!