From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id kM9ZClluSmCocwAA0tVLHw (envelope-from ) for ; Thu, 11 Mar 2021 19:24:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id eI8pBlluSmAYPgAA1q6Kng (envelope-from ) for ; Thu, 11 Mar 2021 19:24:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BA5FE22799 for ; Thu, 11 Mar 2021 20:24:08 +0100 (CET) Received: from localhost ([::1]:47894 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lKQul-0005pj-R4 for larch@yhetil.org; Thu, 11 Mar 2021 14:24:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40484) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKQni-0007Gc-Ey for guix-devel@gnu.org; Thu, 11 Mar 2021 14:16:50 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:43835) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKQnX-0004NJ-Ib for guix-devel@gnu.org; Thu, 11 Mar 2021 14:16:46 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 5B9605C00AF; Thu, 11 Mar 2021 14:16:38 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Thu, 11 Mar 2021 14:16:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=8HXR6ISgQF5i+3Pf0g8b8aqn PGQPGypODVjwW/3QMJk=; b=p5QyCW/BorknI0MAmbnycMsCN0+pOw/BCm5ACVkF b6zGvydMVEyGNrE4vwe8iFHSsM4pQ8GqTXrj/L7j/Yidpn+8P+ms3J01+QYNvnI6 MUUtCgZaJ4NXYQUFNsSVHADiubAJvMnXVrI4c2Q5iauOFTi+ikBKiXpT35lnZEzZ 9P8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8HXR6I SgQF5i+3Pf0g8b8aqnPGQPGypODVjwW/3QMJk=; b=BGfWRcwOVV6r7rHnDT0sO2 T9i3JCJFevbw6n4DkMeA1XjQ8XPEAXR56G5bmVx74uKGyn8AOgF3cKMNW5EDkVOD XCr3lSLvdptKuAex6kEO35dp+JiBVhzDPOGNIYul1XGKpArsEqAJcLd/SR75c/d7 WEFA6NGxMF8st/Fofk/pOaYVJS1fGmlNE2oot1xfT32lkHr2l6FQJ4jtz4Ql5Xfo EINaiAYtzkzybwBPAjkMAXKZwkFA+OLolA0DVh0686snqtzfRd8fs5HTfua6bQ36 x+PRwuSe67ol8j3+tVV1FPjSaj6PEIxGfGmToYfDebQ8je05DMrhjMh9dzkWf02w == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvtddguddvfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepvdevgeekudeivdeileduveekuefgueeuleehtdffgefftdefkeevleffueef udeknecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppedutddtrdduuddrudeiledrud dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl vghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 95F431080054; Thu, 11 Mar 2021 14:16:37 -0500 (EST) Date: Thu, 11 Mar 2021 14:16:35 -0500 From: Leo Famulari To: Taylan Kammer Subject: Re: Commit pushed to master with unauthorised signature Message-ID: References: <87h7lid7qn.fsf@nckx> <8f198b1a-9e31-bc29-922f-2c1dd404390c@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E+E2xJ9qmT5p/IZT" Content-Disposition: inline In-Reply-To: <8f198b1a-9e31-bc29-922f-2c1dd404390c@gmail.com> Received-SPF: pass client-ip=66.111.4.29; envelope-from=leo@famulari.name; helo=out5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615490648; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=8HXR6ISgQF5i+3Pf0g8b8aqnPGQPGypODVjwW/3QMJk=; b=WO9GzDii7h+52moRtUxszqa2n/zl/APdw1nbtV87h7pRoLeTtTHbrn3CpuaEMTHKaxi60f rkfm+zTweL9qxqUQgflhrxweu4uN6QuTnmE6SCoKtLMwPPUzqr7ki4XOUwg1Ep09CSq4tD J24jUzb3FwFtLdufJ8niIdZDFems9jZmhRMBVsP7B0yfT2cOo+niERZZLqae3bd4nImJMt WmQJDrXHegoft2vav+jfq8LuSf+K3fbe93dAIl7zq+MjihsebxsXB+zoEtNOWLsOY24B2L RdJRq8yPVqVFNAEA3so20xrgiSbkFjACjBpExmXanbgGMRnQXthw/tgkFRpYpA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615490648; a=rsa-sha256; cv=none; b=CR3i7bA+nvr9slCxYgt92bvZJ2q9XBusa5k/wv64DgDQ2khAHkdBHSZ+UmVZewEK/P7y/c PgvbgoscFi0c+RkBJdYfSPbXIyia+2y7qpNDLFkS02QIj242DihKPj70aR1tNDenLwk8A+ VjHHbpgtgZO+WJIkTWZP2cUhBMh6ViAB37gklDDnuD8R1lWK6NW5+FflwbLsWxNSmhIMmf VDOLnnlNYyVjumU6mxQsl4rgcIH7OppH5Xt4xOc4ZmMI9BZYA12iZYhpy0UxIpMNSI9QBW CSAZBZcKilWPprzC3zGCJDrEtE2VGblTRxlxUkzxBKWAG9fg5RLyeHYiW/dv5w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="p5QyCW/B"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=BGfWRcwO; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.49 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="p5QyCW/B"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=BGfWRcwO; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: BA5FE22799 X-Spam-Score: -3.49 X-Migadu-Scanner: scn0.migadu.com X-TUID: Re84XhZIUpdL --E+E2xJ9qmT5p/IZT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 11, 2021 at 12:15:19AM +0100, Taylan Kammer wrote: > Damn, sorry about that. I assumed of course that an improperly signed > commit would not be accepted, so I didn't pay any special mind. The security model is based on the client-side, i.e. `guix pull`. That way, we don't have to trust the Git repo. We do want to improve the repo so that it's not possible to push commits signed with unauthorized keys, but that hasn't been done yet. =20 > However, I also assumed that adding a new GPG key to my savannah.gnu.org > account would be sufficient. I did that via the web interface, and > ensured that the encryption test is successful. The commit is signed > with that new GPG key. Adding your key(s) to your Savannah account is a required step... > Are the GPG keys added to one's Savannah account unrelated to commit > signing in the Guix repo, or are they not automatically synced, or is > this a further bug?.. =2E.. but, we have a new code authentication system, described in the manual section Specifying Channel Authorizations: https://guix.gnu.org/manual/en/html_node/Specifying-Channel-Authorizations.= html Basically, committers' keys must be added to the .guix-authorizations file in the Git repo before their work will be accepted by `guix pull`. We are really happy that you are pushing code again :) When this issue popped up yesterday, I removed your commit access just to avoid further broken commits. Concretely, this means that I removed you from the Guix "group" on Savannah. However, I want to re-add you as a committer. Please read the manual sections Commit Access. Especially, the part about the pre-push Git hook, which would have caught this issue before pushing. https://guix.gnu.org/manual/en/html_node/Commit-Access.html Let me know when you've read the updated committer workflow guidelines and installed the pre-push Git hook, and we'll add your new key to =2Eguix-authorizations, re-add you to the Savannah group, and then we can continue with our happy hacking :) --E+E2xJ9qmT5p/IZT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBKbIkACgkQJkb6MLrK fwhpPQ/9ECuOf8QruWQBi5eHewyZ9bdsI4m2br6YH2MPy8GQkuGnefvF4CHhWluH NQVj0JmVC+RoQRyeoha4hdiEWs8moi5zNNUOMGoob/VdMVjUjUHcu90FyKM9EF0J +Ulr0EJN67dFOsU0fD7AfXhJR2zl/2G3tINsAxaM+yAH942tknbeG7loMKJ/kbZH eG4piWZCd4d9YSkcO/jttNgJep42TzsFg00b4A3+YCYwHGqzDsOEuhfb0KKexeiu DqwFVB1TZLuzq+4iRGhp5bmSjurPPpvFz5D6aNDgsWwIJPNoXuCHzJn42/oaiSxI 9N8CzFn4knTpztbzFEzeEWwRlVz7us8VqgBIBDKDzb5gzY4hYS3qfmDvc+JmJqkC Tnxr1+ieGob/eGqFVuLYRzeQYCMRvVuDjNVKcY1JTsAmcqRWKf7CeMzjxJIxZOD5 EXZu7wjIE0vuk3x4fb7jyPKN7i0eg39Am2qXnA2iCEIuNmCp9KlAgZiJia3YDWma FEOpwDYLzqy01Wwy/L2zbGu6avK3iS7E5BAaFj+7RCCU518cZbXrXY4kNVK32deJ PjP8Q10as+Cewa0nqc0lZzD2FuvnyQ45XGeD0g5a5xEwdIUs+Ho6VLXMHdykZrO3 owhdN5Bd3Chirg2eowVaqo4+ltNcjEQSExnDnGa0QEPtKujQshY= =kGeP -----END PGP SIGNATURE----- --E+E2xJ9qmT5p/IZT--