From: Tobias Geerinckx-Rice <me@tobias.gr>
To: guix-devel@gnu.org
Subject: Commit pushed to master with unauthorised signature
Date: Wed, 10 Mar 2021 22:22:24 +0100 [thread overview]
Message-ID: <87h7lid7qn.fsf@nckx> (raw)
[-- Attachment #1: Type: text/plain, Size: 3389 bytes --]
Guix,
I have very little time to write a proper post-mortem. Luckily,
thanks to the prompt help of rwp of #savannah fame and Ludo's sane
‘guix pull’ design, there's not much to report, although there's
something to improve.
Despite the scary title, at no point did anything untoward or
malicious happen. Users were not at risk.
Earlier today the following commit was pushed to master:
--8<---------------cut here---------------start------------->8---
commit 15092548804b6c50ea276d098f76a79bd0042398
gpg: Signature made Wed Mar 10 19:55:39 2021 CET
gpg: using RSA key
51A0982A58B64622464833085EEB3986CB2F65ED
gpg: Good signature from "Taylan Kammer (Debian10VM)
<taylan.kammer@gmail.com>" [unknown]
Primary key fingerprint: 51A0 982A 58B6 4622 4648 3308 5EEB 3986
CB2F 65ED
Author: Taylan Kammer <taylan.kammer@gmail.com>
gnu: guile-bytestructures: Update to 1.0.10.
* gnu/packages/guile.scm (guile-bytestructures): Update to
1.0.10.
--8<---------------cut here---------------end--------------->8---
The key with fingerprint 51A0 982A 58B6 4622 4648 3308 5EEB 3986
CB2F 65ED is not present in .guix-authorizations, nor in the
‘keyring’ branch. This broke ‘guix pull’ for all users[0]:
--8<---------------cut here---------------start------------->8---
guix pull: error: could not authenticate commit
15092548804b6c50ea276d098f76a79bd0042398: key 51A0 982A 58B6 4622
4648 3308 5EEB 3986 CB2F 65ED is missing
--8<---------------cut here---------------end--------------->8---
The only solution to that is to remove the offending commit
upstream. Our Savannah git repository does not allow deleting or
force-pushing master for safety reasons. Helpful Bob Proulx of
the Savannah team manually reset the remote master branch back to
the previous[1] commit.
I have pushed Taylan's commit as
b1eb7448370bbd4d494cf9f3fddae88dd0de2ca3, signed with my own key.
The good news is that ‘guix pull’ commit authentication has passed
real-world testing, and that the mess was relatively transparent
to users: ‘guix pull’ continues to work without extra options,
even for those who pulled between 150925 and b1eb74 and got a
scary error.
The less-good news is that our remote git hook should never have
allowed this to happen in the first place, and that this weakness
has been known for... well, a while[2]. Any committer can DoS
guix pull in a way that even the maintainers can't fix unaided.
This also highlights the fact that many people[3] are currently
unconditionally trusted with commit access. This includes
‘currently inactive members’: Savannah has no way to disable or
even restrict commit access (to specific branches, subdirectories,
or even repositories(?)) without removing membership altogether.
The chance of mistakes, key confusion, forgotten commit privileges
grows.
lfam has started removing certain inactive people from this list,
but removing people is not a fun job nor something one proactive
volunteer should be tasked with alone.
Kind regards,
T G-R
[0]: https://logs.guix.gnu.org/guix/2021-03-10.log#205043
[1]: 60174c9c8c307be43450af38ce7c4e268278e07c,
[2]:
https://savannah.nongnu.org/support/?func=detailitem&item_id=109104
[3]: https://savannah.gnu.org/project/memberlist.php?group=guix
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
next reply other threads:[~2021-03-10 21:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 21:22 Tobias Geerinckx-Rice [this message]
2021-03-10 23:15 ` Commit pushed to master with unauthorised signature Taylan Kammer
2021-03-11 7:37 ` Maxime Devos
2021-03-11 13:11 ` Taylan Kammer
2021-03-11 14:59 ` Tobias Geerinckx-Rice
2021-03-11 22:53 ` Taylan Kammer
2021-03-11 15:16 ` Julien Lepiller
2021-03-11 19:16 ` Leo Famulari
2021-03-11 23:02 ` Taylan Kammer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h7lid7qn.fsf@nckx \
--to=me@tobias.gr \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).