**Ludovic Courtès** @civodul@toot.aquilenet.fr · 2022-06-30T12:54:20Z

Ludovic Courtès @civodul@toot.aquilenet.fr

“Building a Secure Software Supply Chain with GNU Guix”
https://programming-journal.org/2023/7/1/

New refereed article on #SupplyChainSecurity in #Guix, from #bootstrapping to #ReproducibleBuilds, with a focus on secure #Git updates.

Jun 30, 2022, 12:54 · · Web · · ·

**Ludovic Courtès** @civodul@toot.aquilenet.fr · Jun 30, 2022, 12:56

**Ludovic Courtès** @civodul@toot.aquilenet.fr · Jun 30, 2022, 12:56

Ludovic Courtès @civodul@toot.aquilenet.fr

Is #TheUpdateFramework (TUF) appropriate for #Guix?

Are #Git signed commits sufficient to authenticate a repo?

What about Git{Hub,Lab} “verified” badges?

**Ludovic Courtès** @civodul@toot.aquilenet.fr · Jun 30, 2022, 12:59

**Ludovic Courtès** @civodul@toot.aquilenet.fr · Jun 30, 2022, 12:59

Ludovic Courtès @civodul@toot.aquilenet.fr

The paper describes the checkout authentication mechanism #Guix has been using for two years.

Unlike TUF, it's tailored to functional deployment à la #Nix & #Guix

More generally, it supports off-line #Git repo authentication.