--- Begin Message ---
Subject: |
Trustable "guix pull" |
Date: |
Wed, 02 Mar 2016 10:03:59 -0800 |
User-agent: |
mu4e 0.9.13; emacs 24.5.1 |
Right now, when a user does a "guix pull", that pulls down the latest
repository of code from git, which is kept in a tarball. Once you
receive the latest code, this has some checks: what's the hash of each
package, etc.
Unfortunately, it's delivered over http:
(define %snapshot-url
;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
"http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
)
At minimum we should deliver this over HTTPS, ideally with a single
certificate that is trusted by the user, so the user can't be easily
MITM'ed.
On top of that, even if you run from git proper what there isn't a test
about is: can you trust those latest commits? Git doesn't really check,
at least by default.
https://mikegerwitz.com/papers/git-horror-story
How about this: anyone with commit access should use "signed off by" and
gpg signatures combined. We should keep some list of guix committers'
gpg keys. No commit should be pushed to guix without a gpg signature.
At this point, at least, there is some possibility of auditing things.
Perhaps before a master.tar.gz is made, there can be some integrity
check of the commits matching the current set of "trusted" keys?
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#22883: [bug#41767] [PATCH 0/9] Authenticate channels |
Date: |
Tue, 16 Jun 2020 16:34:57 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hi!
Ludovic Courtès <ludo@gnu.org> skribis:
> Pushed!
>
> 619972f7b5 maint: "make authenticate" behaves like 'guix pull' by default.
> 838ac881ec time-machine: Add '--disable-authentication'.
> a9eeeaa6ae pull: Add '--disable-authentication'.
> c3f6f564e9 channels: Automatically add introduction for the official 'guix'
> channel.
> a941e8fe1f .guix-channel: Add 'keyring-reference'.
> 5bafc70d1e channels: Make 'validate-pull' call right after clone/pull.
> 43badf261f channels: 'latest-channel-instance' authenticates Git checkouts.
> 1e2b9bf2d4 tests: Move OpenPGP helpers to (guix tests gnupg).
> 41946b79f1 git-authenticate: 'authenticate-commits' takes a #:keyring
> parameter.
> a450b4343b git-authenticate: Cache takes a key parameter.
Like I wrote, there’s still work to be done in this area, but at least
we can now have the pleasure to close this 4-year old bug. \o/
https://issues.guix.gnu.org/22883
Ludo’.
--- End Message ---