|
|
|
|
|
|
by civodul
1105 days ago
|
|
|
To be clear, I think Nix (like Guix) signs its pre-built binaries ("substitutes"). However, only Guix has signed commits in its repository (the repo contains package definitions) and a mechanism for secure updates: https://guix.gnu.org/en/blog/2020/securing-updates/ The problem goes well beyond though: as far as I know, Guix is the only project that has a Git repository that users can authenticate when they pull from it. |
|
|