[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#50814] [PATCH] guix: git-authenticate: Also authenticate the channe
|
From: |
Leo Famulari |
|
Subject: |
[bug#50814] [PATCH] guix: git-authenticate: Also authenticate the channel intro commit. |
|
Date: |
Sun, 26 Sep 2021 14:02:13 -0400 |
On Sun, Sep 26, 2021 at 12:19:29PM +0200, Attila Lendvai wrote:
> * guix/git-authenticate.scm (authenticate-commit): Reword and extend the error
> message to point to the relevant part of the manual.
> (authenticate-repository): Explicitly authenticate the channel introduction
> commit, so that it's also rejected unless it is signed by an authorized
> key. Otherwise only the second commit would yield an error, which
> is confusing.
> ---
>
> here's how i tested this:
>
> i set up pulling from a local checkout of guix.
> in that branch i created a signed dummy commit, and added it as a channel
> introduction, replacing guix in my /etc/guix/channels.scm. then tried to
> guix pull, which worked.
>
> then i added another dummy commit, which resulted in an error when pulling.
>
> then i reset the branch back to only contain the first commit, and added
> this code that then resulted in an error even with a single commit.
>
> i have encountered it while i was trying to set up my local checkout to
> test my patches on my live guix, and i was utterly confused why my commit
> was rejected as unauthenticated (i misunderstood how git-authenticate
> works).
Thanks for your report.
I've marked the severity as "grave", which in Debbugs parlance means
"makes the package in question unusable or mostly so, or causes data
loss, or introduces a security hole allowing access to the accounts of
users who use the package."
https://debbugs.gnu.org/Developer.html#severities
I'm not sure if that's justified or not but this patch should be
prioritized.
signature.asc
Description: PGP signature