#22883 - Trustable "guix pull" - GNU bug report logs

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #43 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 3 Jun 2016 16:13:30 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 03 12:13:30 2016
Received: from localhost ([127.0.0.1]:53432 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1b8riz-0001Gc-Lx
	for submit@debbugs.gnu.org; Fri, 03 Jun 2016 12:13:29 -0400
Received: from eggs.gnu.org ([208.118.235.92]:59969)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1b8rix-0001GA-Gk
 for 22883@debbugs.gnu.org; Fri, 03 Jun 2016 12:13:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1b8rio-0005id-9W
 for 22883@debbugs.gnu.org; Fri, 03 Jun 2016 12:13:22 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:54897)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1b8riW-0005Xr-B4; Fri, 03 Jun 2016 12:13:00 -0400
Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:36784 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1b8riU-00073C-Ak; Fri, 03 Jun 2016 12:12:58 -0400
From: ludo@gnu.org (Ludovic Courtès)
To: 22883@debbugs.gnu.org,
Subject: Authenticating a Git checkout
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
Date: Fri, 03 Jun 2016 18:12:47 +0200
In-Reply-To: <874majg0z8.fsf@gnu.org> (Mike Gerwitz's message of "Sat, 30 Apr
 2016 00:43:55 -0400")
Message-ID: <87bn3iz1xc.fsf_-_@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: Christopher Allan Webber <cwebber@dustycloud.org>,
 Mike Gerwitz <mtg@gnu.org>, Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

[Message part 1 (text/plain, inline)]

Hello!

So we sign Git commits, and now we want to authenticate Git checkouts.
There’s a series of bad news.

First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and
there’s no way to set it globally.

Second, even if it did, it would be a shallow check: as Mike notes in
<https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’
script, you actually have to traverse the whole commit history and
authenticate them one by one.  But that’s OK, it runs in presumably less
than a minute on a repo the size of Guix’s, and we could also stop at
signed tags to avoid redundant checks.

Third, as I wrote before¹, relying on the OpenPGP web of trust to
determine whether a commit is “valid” is inappropriate: what we want to
know is whether a commit was made by an authorized person, not whether
it was made by someone who happens to have an OpenPGP key directly or
indirectly certified.  IOW, we want to know whether the key used to sign
the commit is among the authorized developer keys.

Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,
so if we want to do something different than just ‘gpg --verify’, we
have to put some other ‘gpg’ script in $PATH.  Blech.

Fifth, even if we did that, we’d be stuck parsing the possibly l10n’d
output of ‘gpg’.  Pretty fragile.

Sixth, OK, we’ll use libgit2, and write Guile bindings, maybe based on
the CHICKEN bindings², easy!  Well no, it turns out that libgit2³ has no
support for signed commits (the ‘signature’ abstraction there has
nothing to do with OpenPGP signatures.)

Seventh, even if it did, what would we do with the raw ASCII-armored
OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we’d
need to implement OpenPGP (in Guile, maybe based on the OpenPGP library
in Bigloo?)?!


I hope I’m just being negative and I missed an obvious solution or made
wrong hypotheses.  Please tell me!  :-)


I stumbled upon git-lockup⁴, which uses something other than OpenPGP to
sign objects in Git.  However, signatures are not stored in commits but
rather in “git notes”, which, IIUC, are mutable objects detached from
the rest of the object store, so not great.

Cheers,
Ludo’.

¹ http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#40
² http://wiki.call-cc.org/eggref/4/git
³ https://libgit2.github.com/libgit2/
⁴ https://github.com/warner/git-lockup

[signature.asc (application/pgp-signature, inline)]

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:37:44 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#22883 Trustable "guix pull"