guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Commit pushed to master with unauthorised signature

From: Taylan Kammer
Subject: Re: Commit pushed to master with unauthorised signature
Date: Fri, 12 Mar 2021 00:02:07 +0100
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 
On 11.03.2021 20:16, Leo Famulari wrote:
> On Thu, Mar 11, 2021 at 12:15:19AM +0100, Taylan Kammer wrote:
>> Damn, sorry about that.  I assumed of course that an improperly signed
>> commit would not be accepted, so I didn't pay any special mind.
> 
> The security model is based on the client-side, i.e. `guix pull`. That
> way, we don't have to trust the Git repo. We do want to improve the repo
> so that it's not possible to push commits signed with unauthorized keys,
> but that hasn't been done yet.
>   
>> However, I also assumed that adding a new GPG key to my savannah.gnu.org
>> account would be sufficient.  I did that via the web interface, and
>> ensured that the encryption test is successful.  The commit is signed
>> with that new GPG key.
> 
> Adding your key(s) to your Savannah account is a required step...
> 
>> Are the GPG keys added to one's Savannah account unrelated to commit
>> signing in the Guix repo, or are they not automatically synced, or is
>> this a further bug?..
> 
> ... but, we have a new code authentication system, described in the
> manual section Specifying Channel Authorizations:
> 
> https://guix.gnu.org/manual/en/html_node/Specifying-Channel-Authorizations.html
> 
> Basically, committers' keys must be added to the .guix-authorizations
> file in the Git repo before their work will be accepted by `guix pull`.
> 
> We are really happy that you are pushing code again :)
> 
> When this issue popped up yesterday, I removed your commit access just
> to avoid further broken commits. Concretely, this means that I removed
> you from the Guix "group" on Savannah.
> 
> However, I want to re-add you as a committer. Please read the manual
> sections Commit Access. Especially, the part about the pre-push Git
> hook, which would have caught this issue before pushing.
> 
> https://guix.gnu.org/manual/en/html_node/Commit-Access.html
> 
> Let me know when you've read the updated committer workflow guidelines
> and installed the pre-push Git hook, and we'll add your new key to
> .guix-authorizations, re-add you to the Savannah group, and then we can
> continue with our happy hacking :)

Thanks for the kind explanation!  I'll get in touch when I'm not so out
of the loop anymore.  To be honest I was just "summoned" by a bug report
on guile-bytestructures and am otherwise still overloaded with work life
plus personal projects outside of free software.


- Taylan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]