From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Allan Webber Subject: bug#22883: Trustable "guix pull" Date: Wed, 02 Mar 2016 10:03:59 -0800 Message-ID: <87io14sqoa.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50903) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1abB90-0005ET-1K for bug-guix@gnu.org; Wed, 02 Mar 2016 13:05:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1abB8w-0002kO-SH for bug-guix@gnu.org; Wed, 02 Mar 2016 13:05:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:60931) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1abB8w-0002kI-Oi for bug-guix@gnu.org; Wed, 02 Mar 2016 13:05:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1abB8w-0003Ka-GM for bug-guix@gnu.org; Wed, 02 Mar 2016 13:05:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50447) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1abB85-0004tC-9m for bug-guix@gnu.org; Wed, 02 Mar 2016 13:04:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1abB80-0002RE-Uu for bug-guix@gnu.org; Wed, 02 Mar 2016 13:04:09 -0500 Received: from dustycloud.org ([50.116.34.160]:47356) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1abB80-0002QT-Rr for bug-guix@gnu.org; Wed, 02 Mar 2016 13:04:04 -0500 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 5E9C9266F6 for ; Wed, 2 Mar 2016 13:04:00 -0500 (EST) List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: 22883@debbugs.gnu.org Right now, when a user does a "guix pull", that pulls down the latest repository of code from git, which is kept in a tarball. Once you receive the latest code, this has some checks: what's the hash of each package, etc. Unfortunately, it's delivered over http: (define %snapshot-url ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" ) At minimum we should deliver this over HTTPS, ideally with a single certificate that is trusted by the user, so the user can't be easily MITM'ed. On top of that, even if you run from git proper what there isn't a test about is: can you trust those latest commits? Git doesn't really check, at least by default. https://mikegerwitz.com/papers/git-horror-story How about this: anyone with commit access should use "signed off by" and gpg signatures combined. We should keep some list of guix committers' gpg keys. No commit should be pushed to guix without a gpg signature. At this point, at least, there is some possibility of auditing things. Perhaps before a master.tar.gz is made, there can be some integrity check of the commits matching the current set of "trusted" keys?