From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id GOTvLPUhlGKTGQAAbAwnHQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 30 May 2022 03:46:29 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id mFLuK/UhlGLnfAEAG6o9tA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 30 May 2022 03:46:29 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 455F59C88
	for <larch@yhetil.org>; Mon, 30 May 2022 03:46:29 +0200 (CEST)
Received: from localhost ([::1]:48944 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1nvUUG-00053s-2N
	for larch@yhetil.org; Sun, 29 May 2022 21:46:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:54282)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kiasoc5@disroot.org>)
 id 1nvUTn-00053g-NO
 for guix-devel@gnu.org; Sun, 29 May 2022 21:46:00 -0400
Received: from knopi.disroot.org ([178.21.23.139]:58604)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kiasoc5@disroot.org>)
 id 1nvUTl-0008Km-DM
 for guix-devel@gnu.org; Sun, 29 May 2022 21:45:59 -0400
Received: from localhost (localhost [127.0.0.1])
 by disroot.org (Postfix) with ESMTP id 0AA0B43701
 for <guix-devel@gnu.org>; Mon, 30 May 2022 03:45:54 +0200 (CEST)
X-Virus-Scanned: SPAM Filter at disroot.org
Received: from knopi.disroot.org ([127.0.0.1])
 by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id IWIvZdkvI1Cw for <guix-devel@gnu.org>;
 Mon, 30 May 2022 03:45:52 +0200 (CEST)
Mime-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail;
 t=1653875152; bh=yAE+Ly83PIPh+trZnLHmUUSd5jI3/zgSoM2fWhdpkLM=;
 h=Date:From:Subject:To;
 b=UH7RQqd/tiT5xff+5Xbid1vaIg2n/ta6wMhXJ6JZeXjhPmzn8aA+nCrxSxhRXBFdA
 X4IjY+vYEKHoxiGEGy0i+4LsEmd0IYHu94Uca3qcpWWvb0/jbBZ7RFMMcooXxSaYGH
 txZZIVIi1lX60tGTp4Sf3yoAOTySE0/WnU2fXgUuOPmq6l/TcMcMGFnFPg/jh15Fhh
 6SxvX5l9w4aAmBiFWXDETPwyPvnCVQWtJPggV7JaLT22/kToSpyt0kqBmTPLVXEPM9
 IDGZeeqZ7f3ZQitE6MoX/l0Iy9iW19czSQ+JgFrJeOzOmXRJpBFsG71KgogMgJvHdV
 dduKwvRQzxhzA==
Date: Mon, 30 May 2022 01:45:52 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: kiasoc5@disroot.org
Message-ID: <34a12bbaae833ce9f53a106ea2108da3880cd3de@disroot.org>
Subject: auth-tarball-from-git
To: guix-devel@gnu.org
Received-SPF: pass client-ip=178.21.23.139; envelope-from=kiasoc5@disroot.org;
 helo=knopi.disroot.org
X-Spam_score_int: 0
X-Spam_score: -0.1
X-Spam_bar: /
X-Spam_report: (-0.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 PDS_OTHER_BAD_TLD=1.997, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1653875189;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=yAE+Ly83PIPh+trZnLHmUUSd5jI3/zgSoM2fWhdpkLM=;
	b=Uz4qnJgPrAchOaxEwNtyUAeAGiLG4TOIcVWWEFlj9hXJFJWZhEWaDmlcpCuKMHzj5Pm9u8
	wPdDrhJAFnMXtwBpfRW3S8XJZfFlZESMpf+3slyq6lDMhYNL5YEl7fH73EIffygX/XKcvi
	0pTi0Kj05/wYGtOOSTyyCASVKEvRGjO9ir+2y5XSNqfslylzb/QxXbyMk2+As6ckwFkYFp
	HEe/bBnEgqdhaT/ciA2dy8vlxgXvwb1wONtrzCaABuqHmwOHQukWXTB4xDBUFgv1h+s03K
	WHJk/1mmbFNNMZZ9Ui9CUsioMVBNT4x13Llk3vNrTb30LG8bSoXiOJckxWhWfg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1653875189; a=rsa-sha256; cv=none;
	b=OhKxXUYP+fG/trhLzimDpqecJPdLIyWBVyts9KbkXnaLLZB79E3pszOItz0gZsP9EMcgYC
	1S8yVntS+P9/HOYQbD6c6u/DGuDnk5jfoJYtit9dK3qA2XYP12JudpqF243hnEp6SMZOhf
	Z+Pg5pTrR3/iaytllyfK2PpqiNjRyl+6uSS8C6m9mMP00uXb771aF3TfFf21tt4x6qcGL8
	1edpuSP7GPRd5P9NDAJepJQ7JtR+Ut/N/59QX+U7hN5RtZjKxBCSpNL+4qpj43Z+hrwyWT
	KkP3cibSJClnQESn5XvRYEDRVjF2yjyAFfi8IJPOOk0nMs3wQuHC8bgTVRZp9Q==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=disroot.org header.s=mail header.b="UH7RQqd/";
	dmarc=pass (policy=quarantine) header.from=disroot.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -3.33
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=disroot.org header.s=mail header.b="UH7RQqd/";
	dmarc=pass (policy=quarantine) header.from=disroot.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 455F59C88
X-Spam-Score: -3.33
X-Migadu-Scanner: scn0.migadu.com
X-TUID: oI10UvnS7nbk

Authenticate a tarball through a signed tag in a git repository (with rep=
roducible builds).

Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/

Source code: https://github.com/kpcyrd/auth-tarball-from-git

Pretty interesting, could be useful for guix.