From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:c151::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id qGtVN4g4SWCsdQAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 10 Mar 2021 21:22:16 +0000
Received: from aspmx2.migadu.com ([2001:41d0:2:c151::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id 0DgoM4g4SWDoIQAAB5/wlQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 10 Mar 2021 21:22:16 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx2.migadu.com (Postfix) with ESMTPS id 54D5526A68
	for <larch@yhetil.org>; Wed, 10 Mar 2021 22:22:16 +0100 (CET)
Received: from localhost ([::1]:37616 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lK6HX-00049t-GC
	for larch@yhetil.org; Wed, 10 Mar 2021 16:22:15 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:53448)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1lK6HM-00049A-Nm
 for guix-devel@gnu.org; Wed, 10 Mar 2021 16:22:04 -0500
Received: from tobias.gr ([2a02:c205:2020:6054::1]:38438)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1lK6HJ-0000aL-B3
 for guix-devel@gnu.org; Wed, 10 Mar 2021 16:22:04 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=gZ1SfR4tdDxu1VRKF3qmImh02vqis+rECMAd1bRmScQ=; h=date:subject:to:
 from; b=lbvq8VAnNi9/qhwqxL9tkGwD6m2BDAGJrefoHJ4THyTmERyeHX9ihQ4Xxf24W9
 6nyugQcxrO7KaLwn4vAmmtFl+PCHDCjun15YdrVpjsmTQRvmW6QGdvZgRB5lvHXsWu04oB
 cg4994fFRJn860y43kIj3J0suV+1FbwplPl9LE6go6l6DEGTQ3uciMfIs0r5Iz4NH39FWc
 U2sH/nxT23TWyrGxGRsHKDCtFHnRemZYmms4vxbcyd0nxOsJTDwpRJclECQaatRw5x/ojV
 oUvHdpKUAjJ4MzuptF0O0s25bILMSj7pqn3KZXiNHk2Nll4QyNfa253O4L33a3pga7BtSA
 ==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 5e9b0646
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO)
 for <guix-devel@gnu.org>; Wed, 10 Mar 2021 21:22:56 +0000 (UTC)
BIMI-Selector: v=BIMI1; s=default;
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: guix-devel@gnu.org
Subject: Commit pushed to master with unauthorised signature 
Date: Wed, 10 Mar 2021 22:22:24 +0100
Message-ID: <87h7lid7qn.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr;
 helo=tobias.gr
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615411336;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=gZ1SfR4tdDxu1VRKF3qmImh02vqis+rECMAd1bRmScQ=;
	b=H9H0VNmY8AkX6x7SRuG5tJgQccDLb3Asy0V+uxWFBEUQBAJGP9q0GM/TzLouPD20Wt+FNI
	sEMytEo4AKx6Nzer3O06hrLU3j4skiFtgTeVI6uskuMHIfqgZegbywbzxszZWxEuLces2x
	xobzeRUTmfZGVRfMvR5UFNFimG/1H0Jo2v3rU8NiMZofiXPMokUfp3SeZjJcsK8kClWAN/
	QtJGHg6q/K4/ZeKB8tza0PT9C+IwAYSufw4noB7uZi3MOGHlB8QLTKjT/XkwM2dGlWfPj5
	l4RiWbWp8OlSzR7bMIOdw0zvEn4So9ySMOakqpqKXQaXGkHGUGYTiE5iP7Wz5g==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615411336; a=rsa-sha256; cv=none;
	b=jyzY12bCcd5isGI8IC2jHMSkZmH8NHpDA/1eEse0VRHTF3rCoBa9iBqmo6aAcICaGrxki5
	3Em0rHCbV6SqaaXmi8hc7EcmTCMS7rUELNPw5ItME37wZRt+qfD8YWG8rcY/yOdnPqN94I
	37b/Gfk6+43nwOkPQTSuzTvdtt+P/NG/saCsJ+lsDYsBKhoHdljUuJJXijQCxgC+rmgmk1
	tTVH8Xr9+61ZGGIdTn957n72zeQwFd640m39tFheManFhIFCty0A3OKj53t0GehnEliIo7
	owrjUFguN2sD6KrHa5IX0HnuKgG2UbbR1k7LKlVXwbVr4JG8C6wPDIBl1vn0Uw==
ARC-Authentication-Results: i=1;
	aspmx2.migadu.com;
	dkim=pass header.d=tobias.gr header.s=2018 header.b=lbvq8VAn;
	dmarc=pass (policy=reject) header.from=tobias.gr;
	spf=pass (aspmx2.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -4.19
Authentication-Results: aspmx2.migadu.com;
	dkim=pass header.d=tobias.gr header.s=2018 header.b=lbvq8VAn;
	dmarc=pass (policy=reject) header.from=tobias.gr;
	spf=pass (aspmx2.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 54D5526A68
X-Spam-Score: -4.19
X-Migadu-Scanner: scn0.migadu.com
X-TUID: bo0oYjaIu4jZ

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Guix,

I have very little time to write a proper post-mortem.  Luckily,=20
thanks to the prompt help of rwp of #savannah fame and Ludo's sane=20
=E2=80=98guix pull=E2=80=99 design, there's not much to report, although th=
ere's=20
something to improve.

Despite the scary title, at no point did anything untoward or=20
malicious happen.  Users were not at risk.

Earlier today the following commit was pushed to master:

=2D-8<---------------cut here---------------start------------->8---
commit 15092548804b6c50ea276d098f76a79bd0042398
gpg: Signature made Wed Mar 10 19:55:39 2021 CET
gpg:                using RSA key=20
51A0982A58B64622464833085EEB3986CB2F65ED
gpg: Good signature from "Taylan Kammer (Debian10VM)=20
<taylan.kammer@gmail.com>" [unknown]
Primary key fingerprint: 51A0 982A 58B6 4622 4648  3308 5EEB 3986=20
CB2F 65ED
Author: Taylan Kammer <taylan.kammer@gmail.com>

    gnu: guile-bytestructures: Update to 1.0.10.

    * gnu/packages/guile.scm (guile-bytestructures): Update to=20
    1.0.10.
=2D-8<---------------cut here---------------end--------------->8---

The key with fingerprint 51A0 982A 58B6 4622 4648  3308 5EEB 3986=20
CB2F 65ED is not present in .guix-authorizations, nor in the=20
=E2=80=98keyring=E2=80=99 branch.  This broke =E2=80=98guix pull=E2=80=99 f=
or all users[0]:

=2D-8<---------------cut here---------------start------------->8---
guix pull: error: could not authenticate commit=20
15092548804b6c50ea276d098f76a79bd0042398: key 51A0 982A 58B6 4622=20
4648 3308 5EEB 3986 CB2F 65ED is missing
=2D-8<---------------cut here---------------end--------------->8---

The only solution to that is to remove the offending commit=20
upstream.  Our Savannah git repository does not allow deleting or=20
force-pushing master for safety reasons.  Helpful Bob Proulx of=20
the Savannah team manually reset the remote master branch back to=20
the previous[1] commit.

I have pushed Taylan's commit as=20
b1eb7448370bbd4d494cf9f3fddae88dd0de2ca3, signed with my own key.

The good news is that =E2=80=98guix pull=E2=80=99 commit authentication has=
 passed=20
real-world testing, and that the mess was relatively transparent=20
to users: =E2=80=98guix pull=E2=80=99 continues to work without extra optio=
ns,=20
even for those who pulled between 150925 and b1eb74 and got a=20
scary error.

The less-good news is that our remote git hook should never have=20
allowed this to happen in the first place, and that this weakness=20
has been known for... well, a while[2].  Any committer can DoS=20
guix pull in a way that even the maintainers can't fix unaided.

This also highlights the fact that many people[3] are currently=20
unconditionally trusted with commit access.  This includes=20
=E2=80=98currently inactive members=E2=80=99: Savannah has no way to disabl=
e or=20
even restrict commit access (to specific branches, subdirectories,=20
or even repositories(?)) without removing membership altogether.=20
The chance of mistakes, key confusion, forgotten commit privileges=20
grows.

lfam has started removing certain inactive people from this list,=20
but removing people is not a fun job nor something one proactive=20
volunteer should be tasked with alone.

Kind regards,

T G-R

[0]: https://logs.guix.gnu.org/guix/2021-03-10.log#205043
[1]: 60174c9c8c307be43450af38ce7c4e268278e07c,
[2]:=20
https://savannah.nongnu.org/support/?func=3Ddetailitem&item_id=3D109104
[3]: https://savannah.gnu.org/project/memberlist.php?group=3Dguix

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYEk4kA0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15JAEBAM0Eq0BbeULc7ezzfcC6SHPbtkblnHo/vbUsYF1u
dVF0AP9toLCslLWLN76IXdiajmRddK6pA8qk416IY4QIqKp0Bw==
=Z/jv
-----END PGP SIGNATURE-----
--=-=-=--