unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#22883: Trustable "guix pull"
@ 2016-03-02 18:03 Christopher Allan Webber
  2016-03-02 19:26 ` Leo Famulari
                   ` (7 more replies)
  0 siblings, 8 replies; 78+ messages in thread
From: Christopher Allan Webber @ 2016-03-02 18:03 UTC (permalink / raw)
  To: 22883

Right now, when a user does a "guix pull", that pulls down the latest
repository of code from git, which is kept in a tarball.  Once you
receive the latest code, this has some checks: what's the hash of each
package, etc.

Unfortunately, it's delivered over http:

  (define %snapshot-url
    ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
    "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
    )

At minimum we should deliver this over HTTPS, ideally with a single
certificate that is trusted by the user, so the user can't be easily
MITM'ed.

On top of that, even if you run from git proper what there isn't a test
about is: can you trust those latest commits?  Git doesn't really check,
at least by default.

  https://mikegerwitz.com/papers/git-horror-story

How about this: anyone with commit access should use "signed off by" and
gpg signatures combined.  We should keep some list of guix committers'
gpg keys.  No commit should be pushed to guix without a gpg signature.
At this point, at least, there is some possibility of auditing things.

Perhaps before a master.tar.gz is made, there can be some integrity
check of the commits matching the current set of "trusted" keys?

^ permalink raw reply	[flat|nested] 78+ messages in thread

end of thread, other threads:[~2020-06-08 22:05 UTC | newest]

Thread overview: 78+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-02 18:03 bug#22883: Trustable "guix pull" Christopher Allan Webber
2016-03-02 19:26 ` Leo Famulari
2016-03-02 21:07   ` Christopher Allan Webber
2016-04-25 22:25 ` Ludovic Courtès
2016-04-26  0:13   ` Leo Famulari
2016-04-26  0:17     ` Thompson, David
2016-04-26  7:12       ` Ludovic Courtès
2016-04-30  4:43     ` Mike Gerwitz
2016-06-03 16:12       ` bug#22883: Authenticating a Git checkout Ludovic Courtès
2016-06-03 20:17         ` Leo Famulari
2016-06-04 11:04           ` Ludovic Courtès
2016-06-04  4:24         ` Mike Gerwitz
2016-06-04 11:17           ` Ludovic Courtès
2016-06-04 12:45             ` ng0
2016-06-06 12:20               ` ng0
2016-06-04 16:14             ` Mike Gerwitz
2016-06-05 20:39             ` Christopher Allan Webber
2016-06-05 21:15               ` Leo Famulari
2016-06-06  2:41               ` Mike Gerwitz
2016-06-06  7:01                 ` Ludovic Courtès
2016-07-22  8:22         ` Ludovic Courtès
2016-07-22 12:58           ` Thompson, David
2016-07-22 13:58             ` Ludovic Courtès
2017-10-24 23:30           ` Ludovic Courtès
2019-12-27 19:48             ` Ricardo Wurmus
2019-12-28 14:47               ` Ludovic Courtès
2019-12-28 16:05                 ` Ricardo Wurmus
2019-12-28 17:45                   ` Ludovic Courtès
2020-04-30 15:32                 ` Ludovic Courtès
2020-05-01 15:46                   ` Justus Winter
2020-05-01 16:50                     ` Ludovic Courtès
2020-05-01 17:04                   ` Ludovic Courtès
2020-05-19 20:23                     ` Ludovic Courtès
2020-06-01 14:07                       ` bug#22883: Channel introductions Ludovic Courtès
2020-06-02 23:45                         ` zimoun
2020-06-03  9:50                           ` Ludovic Courtès
2020-06-03 16:20                             ` zimoun
2020-06-04  9:55                               ` Ludovic Courtès
2020-05-01 17:20                   ` bug#22883: Authenticating a Git checkout Ludovic Courtès
2020-05-02 22:02                   ` Ludovic Courtès
2020-05-04  8:03                     ` Ludovic Courtès
2016-06-01 16:47   ` bug#22883: Discussion of TUF in the context of Git checkout authentication Ludovic Courtès
2016-05-15 12:40 ` bug#22883: Trustable "guix pull" fluxboks
2016-05-16 17:55   ` Thompson, David
2016-05-17 21:19   ` Ludovic Courtès
2016-06-04 16:19 ` Werner Koch
2016-06-04 22:27   ` Ludovic Courtès
2016-06-05  7:51     ` Werner Koch
2016-06-06 21:01       ` Leo Famulari
2016-06-07  8:08         ` bug#22883: gpg2 vs. gpg Ludovic Courtès
2016-06-07 11:25           ` Werner Koch
2016-06-07 12:58             ` ng0
2016-06-05  1:43   ` bug#22883: Trustable "guix pull" Mike Gerwitz
2018-08-28 19:56 ` Vagrant Cascadian
2018-09-02 16:05   ` Ludovic Courtès
2018-09-02 17:15     ` Vagrant Cascadian
2018-09-02 20:07       ` Ludovic Courtès
2019-12-20 22:11         ` bug#22883: Authenticating Git checkouts: step #1 Ludovic Courtès
     [not found]         ` <87mubmodfb.fsf_-_@gnu.org>
2019-12-21  1:33           ` zimoun
2019-12-27 12:58           ` Ludovic Courtès
     [not found]           ` <87eewqgc1v.fsf@gnu.org>
2019-12-27 20:47             ` Ricardo Wurmus
     [not found]             ` <87o8vto5rl.fsf@elephly.net>
2019-12-29  2:45               ` Vagrant Cascadian
     [not found]               ` <87a77bzw6p.fsf@yucca>
2019-12-29  7:34                 ` Efraim Flashner
2019-12-30 21:29                 ` Ludovic Courtès
2019-12-31 19:16 ` Jakub Kądziołka
2020-01-08 13:30   ` Ludovic Courtès
2020-06-02 13:49 ` bug#22883: Authenticating a Git checkout John Soo
2020-06-03  9:33   ` Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 1/9] git-authenticate: Cache takes a key parameter Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 2/9] git-authenticate: 'authenticate-commits' takes a #:keyring parameter Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 3/9] tests: Move OpenPGP helpers to (guix tests gnupg) Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 5/9] channels: Make 'validate-pull' call right after clone/pull Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 6/9] .guix-channel: Add 'keyring-reference' Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 7/9] channels: Automatically add introduction for the official 'guix' channel Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 8/9] pull: Add '--disable-authentication' Ludovic Courtès
2020-06-08 21:54   ` bug#22883: [PATCH 9/9] DROP? channels: Add prehistorical authorizations to <channel-introduction> Ludovic Courtès
2020-06-08 22:04   ` bug#22883: [PATCH 1/9] git-authenticate: Cache takes a key parameter Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).