GNU bug report logs

#22883 Trustable "guix pull"

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #171 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 29 Dec 2019 02:45:49 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 28 21:45:48 2019
Received: from localhost ([127.0.0.1]:59128 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ilOaS-0002c5-Mw
	for submit@debbugs.gnu.org; Sat, 28 Dec 2019 21:45:48 -0500
Received: from cascadia.aikidev.net ([173.255.214.101]:35594)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <vagrant@debian.org>) id 1ilOaR-0002br-2m
 for 22883@debbugs.gnu.org; Sat, 28 Dec 2019 21:45:47 -0500
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100b])
 (Authenticated sender: vagrant@cascadia.debian.net)
 by cascadia.aikidev.net (Postfix) with ESMTPSA id 4C15B1AA3C;
 Sat, 28 Dec 2019 18:45:40 -0800 (PST)
From: Vagrant Cascadian <vagrant@debian.org>
To: Ricardo Wurmus <rekado@elephly.net>, Ludovic Courtès
 <ludo@gnu.org>
Subject: Re: bug#22883: Authenticating Git checkouts: step #1
In-Reply-To: <87o8vto5rl.fsf@elephly.net>
References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net>
 <871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net>
 <877ek364u5.fsf@gnu.org> <87mubmodfb.fsf_-_@gnu.org> <87eewqgc1v.fsf@gnu.org>
 <87o8vto5rl.fsf@elephly.net>
Date: Sat, 28 Dec 2019 18:45:34 -0800
Message-ID: <87a77bzw6p.fsf@yucca>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883@debbugs.gnu.org, guix-devel@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[Message part 1 (text/plain, inline)]
On 2019-12-27, Ricardo Wurmus wrote:
>>   b3011dbbd2 doc: Mention "make authenticate".
>>   787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits.
>>   785af04a75 git: 'commit-difference' takes a list of excluded commits.
>>   1e43ab2c03 Add 'build-aux/git-authenticate.scm'.
>>
>> Commit 787766ed1e takes care of caching (one of the limitations I
>> mentioned in my previous message).
>>
>> Commit b3011dbbd2 adds instructions for contributors on how to
>> authenticate a checkout (copied below).  It’s a bit bumpy so I would
>> very much welcome feedback and suggestions on how to improve this!
>
> This is great!

Yes! Yes!


> Thank you for the instructions.  I thought I had all keys, but
> apparently at least one of them is missing.  “make authenticate” fails
> for me with this error:
>
> Throw to key `srfi-34' with args `(#<condition &message [message: "could not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.
>
> I previously downloaded the gpg keyring from Savannah:
>
>     https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix
>
> Looks like Hartmut used to use a different key, which I don’t have.

I got this too, and manually worked around it by downloading
guix-keyring.gpg from:

  https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1

And running:

  gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg

It seems to be working now... how is the keyring *supposed* to be
populated? Before I manually imported guix-keyring.gpg into guix.kbx,
there were a very small number of keys present.


It's a little awkward that it uses the fingerprint of the signing key
rather than the primary key, as by default things like "gpg --list-keys"
do not display the fingerprint of signing keys, only the primary key, so
it is an adventure in gpg commandline options to correlate them.

"gpg log --show-signature" also reports the the primary key fingerprint,
if the key is available in the keyring, and only the subkey fingerprint
for unknown keys if I remember correctly.

It would be nice if the statistics would display the primary uid
instead, as it is something a little more human readable, and the
primary key fingerprint, as it is a little easier to find. :)


I'm hoping the eventual goal is to integrate this into guix pull?


Very nice to see progress on this issue!


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:21:59 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.