[Nix-dev] Signed git

[S3]

Unlike most distros, the NixOS download page doesn't appear to have
GPG signatures for the CD images.
https://nixos.org/nixos/download.html
vs.
https://www.debian.org/CD/verify
http://distfiles.gentoo.org/releases/amd64/autobuilds/20160218/install-amd64-minimal-20160218.iso.DIGESTS.asc

In fact, the key here
https://nixos.org/~eelco/
is so old, I can't import it because
it is using MD5.

~> gpg --import < eelco.key
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: key 8380778D: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
Return value = 2

When I look at the git label,
nixpkgs> git tag -v '15.09'
object 9c31c72cafe536e0c21238b2d47a23bfe7d1b033
type commit
tag 15.09
tagger Domen Kožar <domen at dev.si> 1443651442 +0200

Release 15.09
error: no signature found
error: could not verify the tag '15.09'

So, as far as I can tell, nothing is signed.
This means that if anyone downloads the CD image over http,
they could get the wrong file.  This also means,
in effect, that github has root on our machines.
(Please tell me if I'm just overlooking it.)

It would help a lot if there was a key for signing the releases
and the git tags.  That way, no matter what happened in between,
we could tell which versions were valid.  I would also help
to have a signed tag tracking head in github.  That way,
github would not need to be trusted at all, and people could
just sync to wherever that tag currently was.

-- 
$_="sccc,gB1,a_oo,JosBackuSa,g11,ug1a,oscc,cBBg,JcgaBuucaB_s11_Juc_c";
while(($c,$b,$a)=m/^(.)([^,]*),(.*)$/){$_=$a;s/$c/$b/g;}
print map chr length,split /_/;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160225/df79b2d6/attachment.bin