GNU bug report logs

#22883 Trustable "guix pull"

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #195 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 1 May 2020 17:04:51 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri May 01 13:04:51 2020
Received: from localhost ([127.0.0.1]:50546 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jUZ5m-00077P-Lk
	for submit@debbugs.gnu.org; Fri, 01 May 2020 13:04:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:55896)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1jUZ5l-00077A-Aj
 for 22883@debbugs.gnu.org; Fri, 01 May 2020 13:04:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:60103)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1jUZ5f-0002ey-Vw; Fri, 01 May 2020 13:04:44 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41168 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1jUZ5f-0004eR-ID; Fri, 01 May 2020 13:04:43 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: bug#22883: Authenticating a Git checkout
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
 <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org>
 <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net>
 <87fth4bj6y.fsf@gnu.org> <87bln9oupo.fsf@gnu.org>
Date: Fri, 01 May 2020 19:04:41 +0200
In-Reply-To: <87bln9oupo.fsf@gnu.org> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Thu, 30 Apr 2020 17:32:19 +0200")
Message-ID: <87wo5vfuxi.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 22883
Cc: 22883@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hey!

Ludovic Courtès <ludo@gnu.org> skribis:

>   • Load the keyring from files in the repo, possibly in a dedicated
>     branch.
>
>   • Load the list of authorized keys from the parent of the commit being
>     authenticated.

Done!

  8916c2fa32 git-authenticate: Load the keyring from the repository.
  6960064ddc git-authenticate: Load the list of authorized keys from the tree.
  f145a2d1a9 .guix-authorizations: Augment.
  62ae43db19 git-authenticate: Use (guix openpgp).

‘git-authenticate’ now loads the keyring from the “keyring” branch,
which I’ve just pushed as an “orphan” branch:

  https://git.savannah.gnu.org/cgit/guix.git/?h=keyring

So no need to store the keyring out-of-band, to spawn gpg to fetch keys
from somewhere else, etc.  The idea is that we’ll keep adding new keys
to this branch every time a new committer joins.  We would never remove
keys from there because those keys are necessary to verify signatures.
The fact that a key is present on that branch does _not_ mean that it
designates an authorized committer today.

The list of authorized committers is meant to be stored in a
‘.guix-authorizations’ file in each branch of the channel.  It is
essentially a list of fingerprints:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-openpgp&id=f145a2d1a982cc841c7ccae3334d4783dad24a1e

To accept a new committer, an authorized committer must add its key to
this file in the branch(es) where that person is expected to commit.
The format currently accepts additional data for each fingerprint.  It’s
currently ignored, but I thought it could be useful in the future, for
instance if we want to associate a file pattern with a key.

A commit is considered “authorized” if and only if its signing key is
listed in the ‘.guix-authorizations’ file of its parent commit(s).

In ‘git-authenticate’, this is implemented in a naive unoptimized way,
but it turns out to make no noticeable difference on the wall-clock time
to authenticate those 14K+ commits.  The crux of the authorization
mechanism is this procedure:

  (define* (commit-authorized-keys repository commit
                                   #:optional (default-authorizations '()))
    "Return the list of OpenPGP fingerprints authorized to sign COMMIT, based on
  authorizations listed in its parent commits.  If one of the parent commits
  does not specify anything, fall back to DEFAULT-AUTHORIZATIONS."
    …)

Feedback welcome!

Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:16:09 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.