bug#22883: closed (Trustable "guix pull")

[GNU bug Tracking System]

Your message dated Tue, 16 Jun 2020 16:34:57 +0200
with message-id <87v9jrrsdq.fsf@gnu.org>
and subject line Re: bug#22883: [bug#41767] [PATCH 0/9] Authenticate channels
has caused the debbugs.gnu.org bug report #22883,
regarding Trustable "guix pull"
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
22883: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> Trustable "guix pull"
>
>
>
>
> Date: 
>
> Wed, 02 Mar 2016 10:03:59 -0800
>
>
>
>
> User-agent: 
>
> mu4e 0.9.13; emacs 24.5.1
>
>
>
>
> Right now, when a user does a "guix pull", that pulls down the latest
> repository of code from git, which is kept in a tarball.  Once you
> receive the latest code, this has some checks: what's the hash of each
> package, etc.
>
> Unfortunately, it's delivered over http:
>
>   (define %snapshot-url
>     ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download";
>     "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz";
>     )
>
> At minimum we should deliver this over HTTPS, ideally with a single
> certificate that is trusted by the user, so the user can't be easily
> MITM'ed.
>
> On top of that, even if you run from git proper what there isn't a test
> about is: can you trust those latest commits?  Git doesn't really check,
> at least by default.
>
>   https://mikegerwitz.com/papers/git-horror-story
>
> How about this: anyone with commit access should use "signed off by" and
> gpg signatures combined.  We should keep some list of guix committers'
> gpg keys.  No commit should be pushed to guix without a gpg signature.
> At this point, at least, there is some possibility of auditing things.
>
> Perhaps before a master.tar.gz is made, there can be some integrity
> check of the commits matching the current set of "trusted" keys?
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#22883: [bug#41767] [PATCH 0/9] Authenticate channels
>
>
>
>
> Date: 
>
> Tue, 16 Jun 2020 16:34:57 +0200
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
>
>
>
>
> Hi!
>
> Ludovic Courtès <ludo@gnu.org> skribis:
>
> > Pushed!
> >
> >   619972f7b5 maint: "make authenticate" behaves like 'guix pull' by default.
> >   838ac881ec time-machine: Add '--disable-authentication'.
> >   a9eeeaa6ae pull: Add '--disable-authentication'.
> >   c3f6f564e9 channels: Automatically add introduction for the official 'guix' 
> > channel.
> >   a941e8fe1f .guix-channel: Add 'keyring-reference'.
> >   5bafc70d1e channels: Make 'validate-pull' call right after clone/pull.
> >   43badf261f channels: 'latest-channel-instance' authenticates Git checkouts.
> >   1e2b9bf2d4 tests: Move OpenPGP helpers to (guix tests gnupg).
> >   41946b79f1 git-authenticate: 'authenticate-commits' takes a #:keyring 
> > parameter.
> >   a450b4343b git-authenticate: Cache takes a key parameter.
>
> Like I wrote, there’s still work to be done in this area, but at least
> we can now have the pleasure to close this 4-year old bug.  \o/
>
>   https://issues.guix.gnu.org/22883
>
> Ludo’.
>
>
> --- End Message ---