From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#22883: Trustable "guix pull"
Date: Wed, 2 Mar 2016 14:26:42 -0500
Message-ID: <20160302192642.GA16774@jasmine>
References: <87io14sqoa.fsf@dustycloud.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44303)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1abCQN-0006U1-B4
	for bug-guix@gnu.org; Wed, 02 Mar 2016 14:27:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1abCQJ-0008B5-4s
	for bug-guix@gnu.org; Wed, 02 Mar 2016 14:27:07 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:60992)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1abCQI-0008Ar-Nd
	for bug-guix@gnu.org; Wed, 02 Mar 2016 14:27:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1abCQI-000765-IG
	for bug-guix@gnu.org; Wed, 02 Mar 2016 14:27:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.145694680427251@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <87io14sqoa.fsf@dustycloud.org>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
To: Christopher Allan Webber <cwebber@dustycloud.org>
Cc: 22883@debbugs.gnu.org

On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote:
> Right now, when a user does a "guix pull", that pulls down the latest
> repository of code from git, which is kept in a tarball.  Once you
> receive the latest code, this has some checks: what's the hash of each
> package, etc.

A discussion worth having. But, let's merge this bug into
debbugs.gnu.org/22629. Also, we should read "The Update Framework" as
requested there.

> 
> Unfortunately, it's delivered over http:
> 
>   (define %snapshot-url
>     ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
>     "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
>     )
> 
> At minimum we should deliver this over HTTPS, ideally with a single
> certificate that is trusted by the user, so the user can't be easily
> MITM'ed.
> 
> On top of that, even if you run from git proper what there isn't a test
> about is: can you trust those latest commits?  Git doesn't really check,
> at least by default.
> 
>   https://mikegerwitz.com/papers/git-horror-story
> 
> How about this: anyone with commit access should use "signed off by" and
> gpg signatures combined.  We should keep some list of guix committers'
> gpg keys.  No commit should be pushed to guix without a gpg signature.
> At this point, at least, there is some possibility of auditing things.
> 
> Perhaps before a master.tar.gz is made, there can be some integrity
> check of the commits matching the current set of "trusted" keys?
> 
> 
>