From: Taylan Kammer <taylan.kammer@gmail.com>
To: Maxime Devos <maximedevos@telenet.be>,
Tobias Geerinckx-Rice <me@tobias.gr>,
guix-devel@gnu.org
Subject: Re: Commit pushed to master with unauthorised signature
Date: Thu, 11 Mar 2021 14:11:38 +0100 [thread overview]
Message-ID: <19be2417-8fc3-2b13-0a17-975fe0d5c1cc@gmail.com> (raw)
In-Reply-To: <339a5b55eeb5032216778ba01a17dd603335c095.camel@telenet.be>
On 11.03.2021 08:37, Maxime Devos wrote:
> On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
>> [...]
>> Damn, sorry about that. I assumed of course that an improperly signed
>> commit would not be accepted, so I didn't pay any special mind.
>>
>> However, I also assumed that adding a new GPG key to my savannah.gnu.org
>> account would be sufficient.
>
> "guix pull" only looks at the git repo (the .guix-authorizations file + the
> keyring branch), and not anything else provided by savannah. Doing so would
> introduce an additional point where the "guix pull" mechanism could be
> compromised. The git repository could as well have been hosted at
> $RANDOM_SPY_AGENCY or $RANDOM_FORGE.
>
> (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and
> ‘7.4 Invoking ‘guix git authenticate’’).
Thanks, makes sense.
I'm hopping workstations recently, and my general habit is to create new
keys on each machine I'm using and register them where ever needed.
(E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.)
I guess I shouldn't do that with Guix push access and instead keep a GPG
key on a USB drive or such.
- Taylan
next prev parent reply other threads:[~2021-03-11 13:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 21:22 Commit pushed to master with unauthorised signature Tobias Geerinckx-Rice
2021-03-10 23:15 ` Taylan Kammer
2021-03-11 7:37 ` Maxime Devos
2021-03-11 13:11 ` Taylan Kammer [this message]
2021-03-11 14:59 ` Tobias Geerinckx-Rice
2021-03-11 22:53 ` Taylan Kammer
2021-03-11 15:16 ` Julien Lepiller
2021-03-11 19:16 ` Leo Famulari
2021-03-11 23:02 ` Taylan Kammer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=19be2417-8fc3-2b13-0a17-975fe0d5c1cc@gmail.com \
--to=taylan.kammer@gmail.com \
--cc=guix-devel@gnu.org \
--cc=maximedevos@telenet.be \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).