From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#22883: Trustable "guix pull" Date: Tue, 26 Apr 2016 00:25:11 +0200 Message-ID: <87h9ep8gxk.fsf@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58919) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1auoxC-0006Y3-Lb for bug-guix@gnu.org; Mon, 25 Apr 2016 18:26:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1auox8-0005m2-Kl for bug-guix@gnu.org; Mon, 25 Apr 2016 18:26:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:34653) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1auox8-0005lw-Hd for bug-guix@gnu.org; Mon, 25 Apr 2016 18:26:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87io14sqoa.fsf@dustycloud.org> (Christopher Allan Webber's message of "Wed, 02 Mar 2016 10:03:59 -0800") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Christopher Allan Webber Cc: 22883@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! Christopher Allan Webber skribis: > On top of that, even if you run from git proper what there isn't a test > about is: can you trust those latest commits? Git doesn't really check, > at least by default. > > https://mikegerwitz.com/papers/git-horror-story > > How about this: anyone with commit access should use "signed off by" and > gpg signatures combined. We should keep some list of guix committers' > gpg keys. No commit should be pushed to guix without a gpg signature. > At this point, at least, there is some possibility of auditing things. To make progress on this front, I=E2=80=99ve decided to start signing all my commits, so: =2D-8<---------------cut here---------------start------------->8--- $ git config commit.gpgsign true $ git config --global user.signingkey 090B11993D9AEBB5 =2D-8<---------------cut here---------------end--------------->8--- I invite everyone to do the same. Hopefully, within a few weeks, we can add a commit hook to reject unsigned commits. Note that we=E2=80=99ll be signing patches we push on behalf of contributor= s who do not have commit access (reviewer=E2=80=99s responsibility). Also, rebasing, amending, and cherry-picking code signed by someone else would lose the original signature, which isn=E2=80=99t great and should be avoided, if possible. What remains to be seen, among other things, is how we=E2=80=99ll maintain a keyring of the committers, and how we=E2=80=99ll distribute it to users of = =E2=80=98guix pull=E2=80=99; the TUF spec has clever ideas about it, but we need to see h= ow they map to our setup. Thoughts? Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXHplLAAoJEAkLEZk9muu1UcEP/RykKMk+zQP/f1Wm4/TRGlje IRTV9HXlLk8jPosxBGARfuKPyN+9lLgzU9kd7xlO/usgEZhSk9dyFY8JgpbAvWUH G5+Z2ZlgDwQJbjNBz4qLvqpXVeFyh1Wys4zd80k+CA4dbC/OgumaJf76f3B1GRAa gd1+IWQEcaLzKy+As2A0cRs5GWjsnBR5Sss7GSnFHx0jP2JIm5Z1n7JJ+aj4r9iF DDgrQn01/gT04bVbnQ7UO4Oze4L4i1YoVagO5jj5KEMff/YmP53hiD5jeIEuTzer /mFDGzwfgHdyGIPR3/dXL50in+Wcml52ig0oIacRYewBkF5cjT3p/VOx88lRhZ/S Yo2Rp6NgBCP+F/yzCU2OgZQfpw2/Y01wz7/ChvhwtmYYR/aCbfrDuxO9yYUI2Ffg RF9ai6iefzJFNRU9Ld97ksUL94JOgJEOoBigNs79hC+iNJ9ap9a958dkYbYL1N+W lcDZx7YuBcufmOIKxmvzzSNMmhXi9gsb+fPhRP7LYozze4fNVYF1OSZ/qF3PCjYv S8cnKr16L6xnlTFVvaspuJWKMtN5XQKHZ9NfJ2FubBhW6jEEYTuusRtnZgnLJtZ8 VyUIXWdpfI5ZOcEz1ZF1PBpWBUJ4avJdC1TOOqWWJ8r1WGCenJxhPSnDwB+MD4iO lodcnhZ5pUPl4+NzOe/P =L7A9 -----END PGP SIGNATURE----- --=-=-=--