Hello, Mike Gerwitz skribis: > But there doesn't seem to be any way to secure a git repository against > a second-preimage attack. That’s by large beyond the scope of this discussion. :-) I think all we want is to allow someone who gets a checkout of Guix to authenticate the source code, i.e., to make sure it was committed by one of these awesome Guix hackers and not by Mr. Evildoer. Ludo’.