GNU bug report logs

#22883 Trustable "guix pull"

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #198 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 1 May 2020 17:20:48 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri May 01 13:20:48 2020
Received: from localhost ([127.0.0.1]:50568 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jUZLE-0007Wx-D0
	for submit@debbugs.gnu.org; Fri, 01 May 2020 13:20:48 -0400
Received: from eggs.gnu.org ([209.51.188.92]:60568)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1jUZLC-0007Wj-69
 for 22883@debbugs.gnu.org; Fri, 01 May 2020 13:20:47 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:60354)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1jUZL6-00035s-GN; Fri, 01 May 2020 13:20:40 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41198 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1jUZL5-0005wj-Sp; Fri, 01 May 2020 13:20:40 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: bug#22883: Authenticating a Git checkout
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
 <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org>
 <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net>
 <87fth4bj6y.fsf@gnu.org> <87bln9oupo.fsf@gnu.org>
Date: Fri, 01 May 2020 19:20:38 +0200
In-Reply-To: <87bln9oupo.fsf@gnu.org> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Thu, 30 Apr 2020 17:32:19 +0200")
Message-ID: <87y2qbefmh.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 22883
Cc: 22883@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Ludovic Courtès <ludo@gnu.org> skribis:

>   • Generalize that to channels.

As I see it, the generalization would be made by adding the
authentication parameters to the ‘.guix-channel’ file, along these
lines:

  (channel
    (version 0)
    (keyring-reference "my-keyring-branch")
    (historical-authorizations ".guix-authorizations.old"))

where:

  • ‘keyring-reference’ specifies the branch where to look for *.key
    files that constitute the keyring.  It can be ‘master’ and have the
    key mixed up with other files if that’s OK for the channel.  By
    default, it could be the current branch.

  • ‘historical-authorizations’ specifies a file to load in this branch
    and that contains a ‘.guix-authorizations’-formatted list of
    fingerprints for commits that lack a ‘.guix-authorizations’ file.
    By default, we could ignore historical commits—more specifically,
    commits whose parent(s) lack(s) ‘.guix-authorizations’.  It does
    mean that if an authorized commit removes ‘.guix-authorizations’,
    then we’re back to unauthenticated commits.

‘guix pull’ would error out before attempting to build anything if
authentication fails.  It could display a warning when pulling a commit
whose parent(s) lack(s) ‘.guix-authorizations’.

Thoughts?

In terms of code, everything is already there, so it’d be mostly about
moving code around and double-checking the new data formats since
they’ll be hard to change.

In terms of processes, it’ll be tricky: if we committers make a mistake
(sign with the wrong key, forget to add a new committer’s key, etc.),
nobody is able to pull.  In such a case, we’ll probably have to do a
hard-reset of the affected branch.

It would be best if we had a server-side hook to perform all these
checks, so that we don’t encounter such problems.  That would mean
running some of this code on Savannah, I don’t know if it’ll be
possible.  If it’s not, we can set up our own Git repo elsewhere and
make Savannah a mirror.

More thoughts?  :-)

Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:16:55 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.