[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Commit pushed to master with unauthorised signature
|
From: |
Maxime Devos |
|
Subject: |
Re: Commit pushed to master with unauthorised signature |
|
Date: |
Thu, 11 Mar 2021 08:37:16 +0100 |
|
User-agent: |
Evolution 3.34.2 |
On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
> [...]
> Damn, sorry about that. I assumed of course that an improperly signed
> commit would not be accepted, so I didn't pay any special mind.
>
> However, I also assumed that adding a new GPG key to my savannah.gnu.org
> account would be sufficient.
"guix pull" only looks at the git repo (the .guix-authorizations file + the
keyring branch), and not anything else provided by savannah. Doing so would
introduce an additional point where the "guix pull" mechanism could be
compromised. The git repository could as well have been hosted at
$RANDOM_SPY_AGENCY or $RANDOM_FORGE.
(See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and
‘7.4 Invoking ‘guix git authenticate’’).
> Are the GPG keys added to one's Savannah account unrelated to commit
> signing in the Guix repo,
Yes (though they probably are same in practice).
> or are they not automatically synced,
Yes, they aren't.
> this a further bug?..
No, savannah is not ‘trusted’ beyond being online, as that would introduce
another point where "guix pull" could be compromised.
Maxime.
signature.asc
Description: This is a digitally signed message part