--- Begin Message ---
Subject: |
[PATCH 0/9] Authenticate channels |
Date: |
Mon, 8 Jun 2020 23:52:24 +0200 |
Hi Guix!
This patch series does it! It integrates checkout authentication
with (guix channels). Now, ‘guix pull’, ‘guix time-machine’ etc.
automatically authenticate the commits they fetch and raise an
error if they find an unsigned commit or a commit signed by an
unauthorized party¹.
Channel introductions² are implemented but not exposed. Thus,
third-party channels cannot use the authentication mechanism yet.
Conversely, the ‘guix’ channel is authenticated by default.
Any commit in the closure of the introduction’s first commit
is considered authentic (for instance, the commit pointed to
by ‘v0.5’ is considered authentic, even though it’s not even
signed.) Conversely, any commit that does _not_ contain the
introduction’s first commit in its closure is considered
inauthentic.
The patch marked “DROP?” implements “prehistorical authorizations”,
i.e., authorizations for when ‘.guix-authorizations’ didn’t exist
(“make authenticate” does that as well).
Without that patch, we take 87a40d7203a813921b3ef0805c2b46c0026d6c31
(May 5th) as the introduction’s first commit.
In concrete terms, what the patch marked as “DROP?” would buy
us is the ability to merge branches created between ‘v1.0.0’ and
87a40…. I think it’s not that useful, so I’m willing to drop it.
(We can always take it later if we want to.)
There’s a ‘--disable-authentication’ escape hatch for ‘guix pull’,
but not for ‘guix time-machine’ (we’d need to make sure we don’t
cache an inferior that was not authenticated.)
I would much welcome feedback! I’m happy to answer questions if
anything’s unclear. Don’t hesitate, because after that it’ll be
harder to change!
Ludo’.
¹ https://issues.guix.gnu.org/issue/22883#64
² https://issues.guix.gnu.org/issue/22883#69
Ludovic Courtès (9):
git-authenticate: Cache takes a key parameter.
git-authenticate: 'authenticate-commits' takes a #:keyring parameter.
tests: Move OpenPGP helpers to (guix tests gnupg).
channels: 'latest-channel-instance' authenticates Git checkouts.
channels: Make 'validate-pull' call right after clone/pull.
.guix-channel: Add 'keyring-reference'.
channels: Automatically add introduction for the official 'guix'
channel.
pull: Add '--disable-authentication'.
DROP? channels: Add prehistorical authorizations to
<channel-introduction>.
.dir-locals.el | 1 +
.guix-channel | 3 +-
build-aux/git-authenticate.scm | 246 +------------------
doc/guix.texi | 20 +-
guix/channels.scm | 437 +++++++++++++++++++++++++++++++--
guix/git-authenticate.scm | 32 +--
guix/scripts/pull.scm | 24 +-
guix/tests/gnupg.scm | 32 ++-
tests/channels.scm | 128 +++++++++-
tests/git-authenticate.scm | 25 --
10 files changed, 634 insertions(+), 314 deletions(-)
--
2.26.2
--- End Message ---
--- Begin Message ---
Subject: |
Re: [bug#41767] [PATCH 0/9] Authenticate channels |
Date: |
Tue, 16 Jun 2020 16:22:54 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hi,
Ludovic Courtès <ludo@gnu.org> skribis:
> git-authenticate: Cache takes a key parameter.
> git-authenticate: 'authenticate-commits' takes a #:keyring parameter.
> tests: Move OpenPGP helpers to (guix tests gnupg).
> channels: 'latest-channel-instance' authenticates Git checkouts.
> channels: Make 'validate-pull' call right after clone/pull.
> .guix-channel: Add 'keyring-reference'.
> channels: Automatically add introduction for the official 'guix'
> channel.
> pull: Add '--disable-authentication'.
> DROP? channels: Add prehistorical authorizations to
> <channel-introduction>.
Pushed!
619972f7b5 maint: "make authenticate" behaves like 'guix pull' by default.
838ac881ec time-machine: Add '--disable-authentication'.
a9eeeaa6ae pull: Add '--disable-authentication'.
c3f6f564e9 channels: Automatically add introduction for the official 'guix'
channel.
a941e8fe1f .guix-channel: Add 'keyring-reference'.
5bafc70d1e channels: Make 'validate-pull' call right after clone/pull.
43badf261f channels: 'latest-channel-instance' authenticates Git checkouts.
1e2b9bf2d4 tests: Move OpenPGP helpers to (guix tests gnupg).
41946b79f1 git-authenticate: 'authenticate-commits' takes a #:keyring
parameter.
a450b4343b git-authenticate: Cache takes a key parameter.
I made the following changes:
1. The introductory of the ‘guix’ channel is now
9edb3f66fd807b096b48283debdcddccfea34bad (was
87a40d7203a813921b3ef0805c2b46c0026d6c31). This is because one of
the parents of 9edb3f66fd807b096b48283debdcddccfea34bad lacks
‘.guix-authorizations’. Consider it set in stone now!
2. I added ‘--disable-authentication’ for ‘guix time-machine’ in a
extra commit (it was easier than I thought because we don’t need to
disable inferior caching).
3. In an extra commit, I made “make authenticate” behave like ‘guix
pull’ by default—i.e., assume that commits whose parent lack the
‘.guix-authorizations’ file are unauthorized. It’s still possible
to run “make authenticate GUIX_USE_HISTORICAL_AUTHORIZATIONS=yes”
to assume “historical authorizations” for those commits.
Future work includes making that mechanism available to third-party
channels, which in turn means providing a public interface for “channel
introductions” and probably a ‘guix channel’ CLI, as discussed earlier.
Let me know if you notice anything wrong!
Ludo’.
--- End Message ---