unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Authenticating a custom channel while tracking upstream
@ 2023-05-07 22:51 Felix Lechner via Development of GNU Guix and the GNU System distribution.
  0 siblings, 0 replies; only message in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2023-05-07 22:51 UTC (permalink / raw)
  To: Guix Devel

Hi,

Is the current scheme of authenticating Git checkouts [1] really
compatible with the free software guidelines we hold so dear?

Here is my dilemma: I would like to deploy an experimental version of
Guix by following the advice so kindly offered here [2] but hesitate
to compromise on security. I cannot figure out how to add my own key
[3] to the in-repo file .guix-authorizations [4] without asking an
approved upstream committer to sign that commit in my own repository.

The way I see it, such a shim transaction would also prevent me from
tracking further upstream changes in my own branch because the shim
would have to be rebased continually.

I believe users should be able to extend the trust roots. Could we
perhaps expand the present mechanism to merge the trusted keys from
all channels? That would presumably include my own. Thanks!

Kind regards
Felix

[1] https://guix.gnu.org/blog/2020/securing-updates/
[2] https://lists.gnu.org/archive/html/guix-devel/2023-05/msg00021.html
[3] https://codeberg.org/lechner/juix/src/branch/history/.guix-authorizations
[4] https://git.savannah.gnu.org/cgit/guix.git/tree/.guix-authorizations


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-05-07 22:52 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-07 22:51 Authenticating a custom channel while tracking upstream Felix Lechner via Development of GNU Guix and the GNU System distribution.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).