From: Julien Lepiller <julien@lepiller.eu>
To: guix-devel@gnu.org, Taylan Kammer <taylan.kammer@gmail.com>,
Maxime Devos <maximedevos@telenet.be>,
Tobias Geerinckx-Rice <me@tobias.gr>
Subject: Re: Commit pushed to master with unauthorised signature
Date: Thu, 11 Mar 2021 10:16:13 -0500 [thread overview]
Message-ID: <1928C3AD-4670-48C8-A75A-5884691F3C81@lepiller.eu> (raw)
In-Reply-To: <19be2417-8fc3-2b13-0a17-975fe0d5c1cc@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1485 bytes --]
Also, make sure to install the pre-push hook, it should not have let you commit without checking your commits were properly recognised.
Le 11 mars 2021 08:11:38 GMT-05:00, Taylan Kammer <taylan.kammer@gmail.com> a écrit :
>On 11.03.2021 08:37, Maxime Devos wrote:
>> On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
>>> [...]
>>> Damn, sorry about that. I assumed of course that an improperly
>signed
>>> commit would not be accepted, so I didn't pay any special mind.
>>>
>>> However, I also assumed that adding a new GPG key to my
>savannah.gnu.org
>>> account would be sufficient.
>>
>> "guix pull" only looks at the git repo (the .guix-authorizations file
>+ the
>> keyring branch), and not anything else provided by savannah. Doing
>so would
>> introduce an additional point where the "guix pull" mechanism could
>be
>> compromised. The git repository could as well have been hosted at
>> $RANDOM_SPY_AGENCY or $RANDOM_FORGE.
>>
>> (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’
>and
>> ‘7.4 Invoking ‘guix git authenticate’’).
>
>Thanks, makes sense.
>
>I'm hopping workstations recently, and my general habit is to create
>new
>keys on each machine I'm using and register them where ever needed.
>(E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.)
>
>I guess I shouldn't do that with Guix push access and instead keep a
>GPG
>key on a USB drive or such.
>
>
>- Taylan
[-- Attachment #2: Type: text/html, Size: 1980 bytes --]
next prev parent reply other threads:[~2021-03-11 16:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 21:22 Commit pushed to master with unauthorised signature Tobias Geerinckx-Rice
2021-03-10 23:15 ` Taylan Kammer
2021-03-11 7:37 ` Maxime Devos
2021-03-11 13:11 ` Taylan Kammer
2021-03-11 14:59 ` Tobias Geerinckx-Rice
2021-03-11 22:53 ` Taylan Kammer
2021-03-11 15:16 ` Julien Lepiller [this message]
2021-03-11 19:16 ` Leo Famulari
2021-03-11 23:02 ` Taylan Kammer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1928C3AD-4670-48C8-A75A-5884691F3C81@lepiller.eu \
--to=julien@lepiller.eu \
--cc=guix-devel@gnu.org \
--cc=maximedevos@telenet.be \
--cc=me@tobias.gr \
--cc=taylan.kammer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).