doc: Move paragraph about signature verification to the top.

* doc/contributing.texi (Submitting Patches): Remind contributors to verify
cryptographic signatures at the very beginning.
This commit is contained in:
Ricardo Wurmus 2017-11-08 17:19:45 +01:00
parent 697e341e74
commit 308c08d371
No known key found for this signature in database
GPG key ID: 197A5888235FACAC

View file

@ -308,6 +308,12 @@ Before submitting a patch that adds or modifies a package definition,
please run through this check list:
@enumerate
@item
If the authors of the packaged software provide a cryptographic
signature for the release tarball, make an effort to verify the
authenticity of the archive. For a detached GPG signature file this
would be done with the @code{gpg --verify} command.
@item
Take some time to provide an adequate synopsis and description for the
package. @xref{Synopses and Descriptions}, for some guidelines.
@ -335,12 +341,6 @@ distribution to make transverse changes such as applying security
updates for a given software package in a single place and have them
affect the whole system---something that bundled copies prevent.
@item
If the authors of the packaged software provide a cryptographic
signature for the release tarball, make an effort to verify the
authenticity of the archive. For a detached GPG signature file this
would be done with the @code{gpg --verify} command.
@item
Take a look at the profile reported by @command{guix size}
(@pxref{Invoking guix size}). This will allow you to notice references