doc: Encourage signature verification.

* doc/contributing.texi (Submitting Patches): Remind contributors to verify
cryptographic signatures.
This commit is contained in:
Ricardo Wurmus 2017-06-23 09:24:58 +02:00
parent 7ceb0a83e3
commit 8ceffb2f34
No known key found for this signature in database
GPG key ID: 197A5888235FACAC

View file

@ -333,6 +333,12 @@ distribution to make transverse changes such as applying security
updates for a given software package in a single place and have them
affect the whole system---something that bundled copies prevent.
@item
If the authors of the packaged software provide a cryptographic
signature for the release tarball, make an effort to verify the
authenticity of the archive. For a detached GPG signature file this
would be done with the @code{gpg --verify} command.
@item
Take a look at the profile reported by @command{guix size}
(@pxref{Invoking guix size}). This will allow you to notice references