[bug#61246] [PATCH v3 2/3] doc: Explain how to use local guix repositories.

[Maxim Cournoyer]

Hi,

André Batista <nandre@riseup.net> writes:

> Hi Maxim,
>
> sáb 18 fev 2023 às 12:35:32 (1676734532), maxim.cournoyer@gmail.com enviou:
>> (...)
>> >> Perhaps you meant to use @command{git} in the above instead of
>> >> @command{guix}, since it's specific to Git (and the configure snippet is
>> >> for Git) ?
>> >
>> > Not really. It's guix itself and its subcommands which will fail in
>> > this scenario, not git, even though it's because guix is using git
>> > configuration through libgit2. To me it would be misleading to use
>> > @command{git} there. I could come up with a more detailed
>> > description, however, I don't think this would be the place to be
>> > diving on a detailed discussion of guix internals. I'm up to
>> > suggestions though if you think this patch would make people wonder
>> > if it is a typo.
>
> Just to be sure we are on the same page on this: have you followed on
> #55399? AKA Guix has a choice to make here since we could just as
> well decide to diverge from git and disable owner validation checks
> entirely in Guix. On the one side, users wouldn't need to bother with
> git configuration and the manual could do without this patch. On the
> other, would this divergence have any security implications? As far
> as I can see it doesn't, but I may not be seeing far enough and we
> would be hard coding and burying this decision in Guix.
>
> Also we wouldn't be exempting one chosen directory of these checks,
> but disabling it altogether in Guix.

I'm not sure of the security implications this new git switch tries
addressing, so I'd have to read about it more before I can commit on
what's right to do.  In the meantime, we have a recent libgit2 and users
have instructions about dealing with its new security "features", so it
still seems a plus to me.

-- 
Thanks,
Maxim