Enable guix git authenticate to work.

gnuboot-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Enable guix git authenticate to work.

From:	Denis 'GNUtoo' Carikli
Subject:	Enable guix git authenticate to work.
Date:	Tue, 24 Sep 2024 18:27:43 +0200

Hi,

For users wanting to install GNU Boot and that also care about where
they get their software have several options but none that the project
can really put forward yet:

* GNU Boot binaries: they are signed but not reproducible. The easy
  solution is to build a release from source and hope that everything
  goes well (the risk should decrease over time as we're improving the
  build code and tests).

* GNU Boot source release on ftp.gnu.org/gnu/gnuboot: They are signed.
  The gnuboot-source-0.1-rc3.bundle may work but it's completely
  undocumented and untested.

* GNU Boot git source code: There is documentation that is kept up to
  date for building GNU Boot from the latest git revision. It's also
  possible to build the documentation locally, including the
  documentation corresponding to a release. But the download of the
  git repository goes through HTTPS, and so the weakest point here is
  probably the certificate as there is probably no certificate pinning
  of savannah inside the various distributions. But my GPG key can be
  found in the Parabola keyring for instance, so that makes it easier
  to get a chain of trust somehow.

So the easiest way to improve the situation here is to enable to
authenticate git repositories with GPG. Guix has build a tool for
that[1] and we already require Guix to build the GNU Boot binaries so
it should be easy to document.

The following command should be sufficient to do this authentication:
$ guix git authenticate "<commit-id>" \
  "FB31 DBA3 AB8D B76A 4157  329F 7651 568F 8037 4459"

The commit ID should be the 'Add ".guix-authorizations" for "guix git
authenticate".'.

It's better to wait for these commits to be pushed before sending
patches for the corresponding documentation to have the right commit
ID inside that documentation.

Also note that I asked the permision to Neox before sending this patch
set as he also need to review the previous one.

References:
-----------
[1]https://guix.gnu.org/en/blog/2024/authenticate-your-git-checkouts/

-- 
2.46.0

[Prev in Thread]

Current Thread

[Next in Thread]

Enable guix git authenticate to work., Denis 'GNUtoo' Carikli <=
- [main branch][PATCH v1 1/1] Add ".guix-authorizations" for "guix git authenticate"., Denis 'GNUtoo' Carikli, 2024/09/24
- [keyring branch][PATCH v1] Add committer keys., Denis 'GNUtoo' Carikli, 2024/09/24

Prev by Date: [PATCH v1 11/15] dependencies: Trisquel 10: Add copyright header.
Next by Date: [main branch][PATCH v1 1/1] Add ".guix-authorizations" for "guix git authenticate".
Previous by thread: [PATCH v1 00/15] Various fixes (mostly build related) and improvements.
Next by thread: [main branch][PATCH v1 1/1] Add ".guix-authorizations" for "guix git authenticate".
Index(es):
- Date
- Thread