GNU bug report logs

#22883 Trustable "guix pull"

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #52 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 4 Jun 2016 11:04:26 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 04 07:04:26 2016
Received: from localhost ([127.0.0.1]:53773 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1b99NS-0008G9-3e
	for submit@debbugs.gnu.org; Sat, 04 Jun 2016 07:04:26 -0400
Received: from eggs.gnu.org ([208.118.235.92]:49901)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1b99NQ-0008Fu-Cb
 for 22883@debbugs.gnu.org; Sat, 04 Jun 2016 07:04:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1b99NK-0003I4-3L
 for 22883@debbugs.gnu.org; Sat, 04 Jun 2016 07:04:19 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:37269)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1b99NC-0003C2-VS; Sat, 04 Jun 2016 07:04:11 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:45854 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1b99NA-00056p-Gp; Sat, 04 Jun 2016 07:04:09 -0400
From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Subject: Re: Authenticating a Git checkout
In-Reply-To: <20160603201717.GB32008@jasmine> (Leo Famulari's message of "Fri, 
 3 Jun 2016 16:17:17 -0400")
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
 <87bn3iz1xc.fsf_-_@gnu.org> <20160603201717.GB32008@jasmine>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 17 Prairial an 224 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Sat, 04 Jun 2016 13:04:05 +0200
Message-ID: <87inxp2p22.fsf@inria.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883@debbugs.gnu.org, Mike Gerwitz <mtg@gnu.org>,
 Christopher Allan Webber <cwebber@dustycloud.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

Leo Famulari <leo@famulari.name> skribis:

> On Fri, Jun 03, 2016 at 06:12:47PM +0200, Ludovic Courtès wrote:
>> Hello!
>> 
>> So we sign Git commits, and now we want to authenticate Git checkouts.
>> There’s a series of bad news.
>> 
>> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and
>> there’s no way to set it globally.
>
> Since Git already has the git-verify-commit tool, I bet we could
> convince the Git project to implement this as a repo configuration
> option. Even better if we brought a patch :)

Sure.  :-)

>> Third, as I wrote before¹, relying on the OpenPGP web of trust to
>> determine whether a commit is “valid” is inappropriate: what we want to
>> know is whether a commit was made by an authorized person, not whether
>> it was made by someone who happens to have an OpenPGP key directly or
>> indirectly certified.  IOW, we want to know whether the key used to sign
>> the commit is among the authorized developer keys.
>
> So, we need some sort of Guix keyring system, right? We'd have to verify
> that a signature was made with an authorized key, and then validate the
> signature itself? Now it's getting complicated...

Fundamentally, it’s very simple.  It’s just that OpenPGP is not designed
to do this, and GPG doesn’t help with such uses.

>> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,
>> so if we want to do something different than just ‘gpg --verify’, we
>> have to put some other ‘gpg’ script in $PATH.  Blech.
>> 
>> Fifth, even if we did that, we’d be stuck parsing the possibly l10n’d
>> output of ‘gpg’.  Pretty fragile.
>
> According to the man pages gpg(1) and gpg2(1), the value "1" is returned
> if a signature check fails, and there are "other error codes for fatal
> errors". If these return values are consistent across GPG versions,
> maybe they provide enough information for us.

The problem is the meaning of a “signature failure.”  We need to
distinguish between the cases that appear in ‘signature-case’:

  http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pki.scm#n179

The ‘gpg’ command hardly helps with that, plus a signature is considered
“valid” if it’s made by someone “trusted” in the sense of the WoT.

Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:27:49 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.