From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 0DDADGtAxF4eIAAA0tVLHw (envelope-from ) for ; Tue, 19 May 2020 20:24:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 8DmlCGtAxF6HSAAAB5/wlQ (envelope-from ) for ; Tue, 19 May 2020 20:24:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8DAD8940B6B for ; Tue, 19 May 2020 20:24:10 +0000 (UTC) Received: from localhost ([::1]:51346 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jb8mW-0008Ti-Dp for larch@yhetil.org; Tue, 19 May 2020 16:24:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58620) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jb8mQ-0008TW-F6 for bug-guix@gnu.org; Tue, 19 May 2020 16:24:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39636) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jb8mQ-0001TP-6S for bug-guix@gnu.org; Tue, 19 May 2020 16:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jb8mQ-0007Fj-3C; Tue, 19 May 2020 16:24:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#22883: Authenticating a Git checkout Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 19 May 2020 20:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22883 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 22883@debbugs.gnu.org Received: via spool by 22883-submit@debbugs.gnu.org id=B22883.158991979127816 (code B ref 22883); Tue, 19 May 2020 20:24:02 +0000 Received: (at 22883) by debbugs.gnu.org; 19 May 2020 20:23:11 +0000 Received: from localhost ([127.0.0.1]:51182 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jb8lb-0007Ea-0j for submit@debbugs.gnu.org; Tue, 19 May 2020 16:23:11 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51168) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jb8lZ-0007EJ-25 for 22883@debbugs.gnu.org; Tue, 19 May 2020 16:23:09 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60314) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jb8lT-0001On-QF for 22883@debbugs.gnu.org; Tue, 19 May 2020 16:23:03 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53836 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jb8lS-00038Y-SW for 22883@debbugs.gnu.org; Tue, 19 May 2020 16:23:03 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org> <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org> <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net> <87fth4bj6y.fsf@gnu.org> <87bln9oupo.fsf@gnu.org> <87wo5vfuxi.fsf@gnu.org> Date: Tue, 19 May 2020 22:23:00 +0200 In-Reply-To: <87wo5vfuxi.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Fri, 01 May 2020 19:04:41 +0200") Message-ID: <87o8qjekt7.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: rHvDVd9puMli Hello! Ludovic Court=C3=A8s skribis: > The list of authorized committers is meant to be stored in a > =E2=80=98.guix-authorizations=E2=80=99 file in each branch of the channel= . It is > essentially a list of fingerprints: > > https://git.savannah.gnu.org/cgit/guix.git/commit/?h=3Dwip-openpgp&id= =3Df145a2d1a982cc841c7ccae3334d4783dad24a1e > > To accept a new committer, an authorized committer must add its key to > this file in the branch(es) where that person is expected to commit. > The format currently accepts additional data for each fingerprint. It=E2= =80=99s > currently ignored, but I thought it could be useful in the future, for > instance if we want to associate a file pattern with a key. > > A commit is considered =E2=80=9Cauthorized=E2=80=9D if and only if its si= gning key is > listed in the =E2=80=98.guix-authorizations=E2=80=99 file of its parent c= ommit(s). The good news with this model is that an adversary cannot trick users into fetching an unrelated branch where the authorizations would be different: they can always detect that it=E2=80=99s a disconnected branch or that it=E2=80=99s not a fast-forward pull. The bad news is that this also prevents =E2=80=9Cunauthorized forks=E2=80= =9D in general. Unless Guix folks explicitly push a commit authorizing the key of the person who forks, commits by that person will appear as unauthorized. So we need an extra mechanism to say: =E2=80=9Cthis fork starts here=E2=80= =9D. However, modifications to that piece of information must be detectable so that one cannot serve a malicious fork that pretends to forego history. Ludo=E2=80=99.