I haven't looked at the code at all, but perhaps it would be useful to
users of Guix if, upon a guix pull with a commit that fails to
authenticate, guix pull would still pull up to the last in the chain of
successfully authenticated commmits?

Right now, it stops the entire operation if one commit from one channel
fails to authenticate, which has value (and might be useful as a setting
or flag, for those with greater security concerns or those maintaining
the channel).

But assuming the authentications are done in order, could we make the
default an effective "pin" to the last authenticated commit? This is
probably the way users /should/ deal with this kind of issue anyway
(disable-authentication is worrisome), and having the default be this
kind of fallback would make it so users are still able to pull other
channels they might have, or at least update to the last "good" commit.

What do You think?

--

Christopher Rodriguez