From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#22883: Authenticating a Git checkout Date: Mon, 06 Jun 2016 09:01:50 +0200 Message-ID: <87poru7qch.fsf@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org> <87bn3iz1xc.fsf_-_@gnu.org> <87bn3hwpgo.fsf@gnu.org> <87wpm519um.fsf@gnu.org> <87h9d7e5g7.fsf@dustycloud.org> <877fe3hwe9.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59394) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b9oZ0-0006Xn-6w for bug-guix@gnu.org; Mon, 06 Jun 2016 03:03:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b9oYv-0005gk-VP for bug-guix@gnu.org; Mon, 06 Jun 2016 03:03:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:43814) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b9oYv-0005gf-Ru for bug-guix@gnu.org; Mon, 06 Jun 2016 03:03:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <877fe3hwe9.fsf@gnu.org> (Mike Gerwitz's message of "Sun, 05 Jun 2016 22:41:02 -0400") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Mike Gerwitz Cc: 22883@debbugs.gnu.org Hello, Mike Gerwitz skribis: > But there doesn't seem to be any way to secure a git repository against > a second-preimage attack. That=E2=80=99s by large beyond the scope of this discussion. :-) I think all we want is to allow someone who gets a checkout of Guix to authenticate the source code, i.e., to make sure it was committed by one of these awesome Guix hackers and not by Mr. Evildoer. Ludo=E2=80=99.