From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Subject: bug#22883: Trustable "guix pull"
Date: Sun, 02 Sep 2018 22:07:30 +0200
Message-ID: <877ek364u5.fsf@gnu.org>
References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net>
	<871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37186)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fwYfD-0005eg-6H
	for bug-guix@gnu.org; Sun, 02 Sep 2018 16:08:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fwYfC-0006xm-Eb
	for bug-guix@gnu.org; Sun, 02 Sep 2018 16:08:03 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:38339)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fwYfC-0006xg-BN
	for bug-guix@gnu.org; Sun, 02 Sep 2018 16:08:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.153591885930635@debbugs.gnu.org>
In-Reply-To: <87zhwz6ct4.fsf@aikidev.net> (Vagrant Cascadian's message of
	"Sun, 02 Sep 2018 10:15:19 -0700")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Vagrant Cascadian <vagrant@debian.org>
Cc: 22883@debbugs.gnu.org

Vagrant Cascadian <vagrant@debian.org> skribis:

> On 2018-09-02, Ludovic Court=C3=A8s wrote:
>> Vagrant Cascadian <vagrant@debian.org> skribis:
>>> I really don't like having a custom GNUPGHOME, but I didn't see any
>>> other obvious way to pass arguments to git to use a custom keyring. I
>>> populated this GNUPGHOME with keys from:
>>>
>>>   https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&=
download=3D1
>>>
>>> And then ran gpg --refresh-keys on it, as several keys were
>>> outdated/expired.
>>
>> =E2=80=98gpgv=E2=80=99, which is recommended for this use case, has a =
=E2=80=98--keyring=E2=80=99
>> argument.  I suppose we could use that.
>
> I'm not sure how to get git to use gpgv instead of gpg, and extracting
> the information out of git and then implementing some external
> verification process, while possible, is likely error-prone.

Oh right, IIRC Git cannot use gpgv (this was probably discussed in this
issue, now that I think about it.)

Good thing is that using Guile-Git as in the toy example at
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D22883#103>, we can use
gpgv.

> A feature request to git to allow passing gpg arguments or use gpgv
> would be the best way forward in the long-term.

That would work too.

Thanks,
Ludo=E2=80=99.