#22883 - Trustable "guix pull" - GNU bug report logs

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #76 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 5 Jun 2016 20:39:08 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Jun 05 16:39:08 2016
Received: from localhost ([127.0.0.1]:55918 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1b9epA-0007Xb-72
	for submit@debbugs.gnu.org; Sun, 05 Jun 2016 16:39:08 -0400
Received: from dustycloud.org ([50.116.34.160]:41232)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@dustycloud.org>) id 1b9ep8-0007XT-Nq
 for 22883@debbugs.gnu.org; Sun, 05 Jun 2016 16:39:07 -0400
Received: from oolong (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 6CB3626674;
 Sun,  5 Jun 2016 16:39:05 -0400 (EDT)
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
 <87bn3iz1xc.fsf_-_@gnu.org> <87bn3hwpgo.fsf@gnu.org> <87wpm519um.fsf@gnu.org>
User-agent: mu4e 0.9.13; emacs 24.5.1
From: Christopher Allan Webber <cwebber@dustycloud.org>
To: Ludovic Courtès <ludo@gnu.org>
Subject: Re: Authenticating a Git checkout
In-reply-to: <87wpm519um.fsf@gnu.org>
Date: Sun, 05 Jun 2016 15:39:04 -0500
Message-ID: <87h9d7e5g7.fsf@dustycloud.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: 22883
Cc: 22883@debbugs.gnu.org, Mike Gerwitz <mtg@gnu.org>,
 Leo Famulari <leo@famulari.name>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Ludovic Courtès writes:

>>> Second, even if it did, it would be a shallow check: as Mike notes in
>>> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’
>>> script, you actually have to traverse the whole commit history and
>>> authenticate them one by one.  But that’s OK, it runs in presumably less
>>> than a minute on a repo the size of Guix’s, and we could also stop at
>>> signed tags to avoid redundant checks.
>>
>> Practically speaking, that's probably fine, though note that a signed
>> tag is just a signed hash of the commit it points to (with some
>> metadata), so you're trusting the integrity of SHA-1 and nothing
>> more.
>>
>> With that said, the tag points to what will hopefully be a signed
>> commit, so if you verify the signature of the tag _and_ that commit,
>> that'd be even better.  Git's use of SHA-1 makes cryptographic
>> assurances difficult/awkward.
>>
>> An occasional traversal of the entire DAG by, say, a CI script would
>> provide some pretty good confidence.  I wouldn't say it's necessary for
>> every pull.
>
> Agreed.

One theoretical optimization: if I verify the DAG, could I store
somewhere that I've verified from commit cabba6e and upward already, so
the next time I verify it only has to verify the new commits?

Mostly makes sense if we're already going down the only mildly
crazypants direction of implementing our own tooling :)

 - Chris

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:37:35 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#22883 Trustable "guix pull"