From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yB9dM+BarF7EOQAA0tVLHw (envelope-from ) for ; Fri, 01 May 2020 17:22:40 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id M+QAMeparF7dSgAAbx9fmQ (envelope-from ) for ; Fri, 01 May 2020 17:22:50 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E96739400AF for ; Fri, 1 May 2020 17:22:48 +0000 (UTC) Received: from localhost ([::1]:52768 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUZNB-0004DC-2P for larch@yhetil.org; Fri, 01 May 2020 13:22:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35854) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUZLo-0002HF-3Y for bug-guix@gnu.org; Fri, 01 May 2020 13:21:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUZLS-0004di-S7 for bug-guix@gnu.org; Fri, 01 May 2020 13:21:23 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39022) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jUZLS-0004dD-Ed for bug-guix@gnu.org; Fri, 01 May 2020 13:21:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jUZLS-0007Xc-9k; Fri, 01 May 2020 13:21:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#22883: Authenticating a Git checkout Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 01 May 2020 17:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22883 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ricardo Wurmus Received: via spool by 22883-submit@debbugs.gnu.org id=B22883.158835364828955 (code B ref 22883); Fri, 01 May 2020 17:21:02 +0000 Received: (at 22883) by debbugs.gnu.org; 1 May 2020 17:20:48 +0000 Received: from localhost ([127.0.0.1]:50568 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jUZLE-0007Wx-D0 for submit@debbugs.gnu.org; Fri, 01 May 2020 13:20:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:60568) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jUZLC-0007Wj-69 for 22883@debbugs.gnu.org; Fri, 01 May 2020 13:20:47 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60354) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUZL6-00035s-GN; Fri, 01 May 2020 13:20:40 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41198 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jUZL5-0005wj-Sp; Fri, 01 May 2020 13:20:40 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org> <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org> <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net> <87fth4bj6y.fsf@gnu.org> <87bln9oupo.fsf@gnu.org> Date: Fri, 01 May 2020 19:20:38 +0200 In-Reply-To: <87bln9oupo.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 30 Apr 2020 17:32:19 +0200") Message-ID: <87y2qbefmh.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Received-From: 209.51.188.43 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 22883@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 X-Spam-Score: 1.11 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Scan-Result: default: False [1.11 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.49532374516146]; MX_INVALID(1.00)[cached]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.16), country: US(-0.00), ip: 2001:470:142::17(-0.50)]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; RCPT_COUNT_TWO(0.00)[2]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; R_MIXED_CHARSET(0.63)[subject]; FROM_NEQ_ENVFROM(0.00)[ludo@gnu.org,bug-guix-bounces@gnu.org]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; ARC_NA(0.00)[]; TAGGED_FROM(0.00)[larch=yhetil.org]; FROM_HAS_DN(0.00)[]; URIBL_BLOCKED(0.00)[gnu.org:email]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[gnu.org]; HAS_LIST_UNSUB(-0.01)[]; DNSWL_BLOCKED(0.00)[2001:470:142::17:from]; RCVD_COUNT_SEVEN(0.00)[10]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: ZGPMqBKPZdS6 Ludovic Court=C3=A8s skribis: > =E2=80=A2 Generalize that to channels. As I see it, the generalization would be made by adding the authentication parameters to the =E2=80=98.guix-channel=E2=80=99 file, alon= g these lines: (channel (version 0) (keyring-reference "my-keyring-branch") (historical-authorizations ".guix-authorizations.old")) where: =E2=80=A2 =E2=80=98keyring-reference=E2=80=99 specifies the branch where = to look for *.key files that constitute the keyring. It can be =E2=80=98master=E2=80=99 = and have the key mixed up with other files if that=E2=80=99s OK for the channel. By default, it could be the current branch. =E2=80=A2 =E2=80=98historical-authorizations=E2=80=99 specifies a file to= load in this branch and that contains a =E2=80=98.guix-authorizations=E2=80=99-formatted li= st of fingerprints for commits that lack a =E2=80=98.guix-authorizations=E2= =80=99 file. By default, we could ignore historical commits=E2=80=94more specificall= y, commits whose parent(s) lack(s) =E2=80=98.guix-authorizations=E2=80=99.= It does mean that if an authorized commit removes =E2=80=98.guix-authorizations= =E2=80=99, then we=E2=80=99re back to unauthenticated commits. =E2=80=98guix pull=E2=80=99 would error out before attempting to build anyt= hing if authentication fails. It could display a warning when pulling a commit whose parent(s) lack(s) =E2=80=98.guix-authorizations=E2=80=99. Thoughts? In terms of code, everything is already there, so it=E2=80=99d be mostly ab= out moving code around and double-checking the new data formats since they=E2=80=99ll be hard to change. In terms of processes, it=E2=80=99ll be tricky: if we committers make a mis= take (sign with the wrong key, forget to add a new committer=E2=80=99s key, etc.= ), nobody is able to pull. In such a case, we=E2=80=99ll probably have to do a hard-reset of the affected branch. It would be best if we had a server-side hook to perform all these checks, so that we don=E2=80=99t encounter such problems. That would mean running some of this code on Savannah, I don=E2=80=99t know if it=E2=80=99l= l be possible. If it=E2=80=99s not, we can set up our own Git repo elsewhere and make Savannah a mirror. More thoughts? :-) Ludo=E2=80=99.