[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Commit pushed to master with unauthorised signature
From: |
Taylan Kammer |
Subject: |
Re: Commit pushed to master with unauthorised signature |
Date: |
Fri, 12 Mar 2021 00:02:07 +0100 |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 |
On 11.03.2021 20:16, Leo Famulari wrote:
> On Thu, Mar 11, 2021 at 12:15:19AM +0100, Taylan Kammer wrote:
>> Damn, sorry about that. I assumed of course that an improperly signed
>> commit would not be accepted, so I didn't pay any special mind.
>
> The security model is based on the client-side, i.e. `guix pull`. That
> way, we don't have to trust the Git repo. We do want to improve the repo
> so that it's not possible to push commits signed with unauthorized keys,
> but that hasn't been done yet.
>
>> However, I also assumed that adding a new GPG key to my savannah.gnu.org
>> account would be sufficient. I did that via the web interface, and
>> ensured that the encryption test is successful. The commit is signed
>> with that new GPG key.
>
> Adding your key(s) to your Savannah account is a required step...
>
>> Are the GPG keys added to one's Savannah account unrelated to commit
>> signing in the Guix repo, or are they not automatically synced, or is
>> this a further bug?..
>
> ... but, we have a new code authentication system, described in the
> manual section Specifying Channel Authorizations:
>
> https://guix.gnu.org/manual/en/html_node/Specifying-Channel-Authorizations.html
>
> Basically, committers' keys must be added to the .guix-authorizations
> file in the Git repo before their work will be accepted by `guix pull`.
>
> We are really happy that you are pushing code again :)
>
> When this issue popped up yesterday, I removed your commit access just
> to avoid further broken commits. Concretely, this means that I removed
> you from the Guix "group" on Savannah.
>
> However, I want to re-add you as a committer. Please read the manual
> sections Commit Access. Especially, the part about the pre-push Git
> hook, which would have caught this issue before pushing.
>
> https://guix.gnu.org/manual/en/html_node/Commit-Access.html
>
> Let me know when you've read the updated committer workflow guidelines
> and installed the pre-push Git hook, and we'll add your new key to
> .guix-authorizations, re-add you to the Savannah group, and then we can
> continue with our happy hacking :)
Thanks for the kind explanation! I'll get in touch when I'm not so out
of the loop anymore. To be honest I was just "summoned" by a bug report
on guile-bytestructures and am otherwise still overloaded with work life
plus personal projects outside of free software.
- Taylan