From: Simon Tournier <zimon.toutoune@gmail.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 70759@debbugs.gnu.org, Tomas Volf <~@wolfsden.cz>,
guix-blog@gnu.org, Skyler Ferris <skyvine@protonmail.com>
Subject: [bug#70759] [PATCH guix-artwork] website: Add post about ‘guix git authenticate’.
Date: Mon, 06 May 2024 11:39:39 +0200 [thread overview]
Message-ID: <87fruvl1no.fsf@gmail.com> (raw)
In-Reply-To: <20240503205729.6354-1-ludo@gnu.org> ("Ludovic Courtès"'s message of "Fri, 3 May 2024 22:57:29 +0200")
Hi Ludo,
On ven., 03 mai 2024 at 22:57, Ludovic Courtès <ludo@gnu.org> wrote:
> +# Why you should care
[...]
> Badges aren’t much better: the presence
> +of a “verified” badge only shows that the commit is signed by the
> +OpenPGP key *currently registered* for the corresponding GitLab/GitHub
> +account. If you register a new key, or if you leave the project, your
> +commits lose their badge. Not helpful either, not to mention that this
> +is all tied to the hosting site you’re on, outside of Git’s control.
Well, there is a double-sword here, IMHO. Because considering the
“keyring” branch approach, it reads: « keys of users who left the
project are necessary to authenticate past commits. »
Therefore, I do not see the problem with badges if you apply the same
constraint: do not remove the keys. Somehow, I would mitigate this
paragraph.
Other said, the main (and maybe only one) cons against badges is that
the (meta)information does not belong to the Git repository itself but
is registered somewhere in the platform^W service. And that breaks the
decentralized “claim“, i.e., it forces developer to login in such
services; it locks all contributors in one service.
Somehow, the “keyring” branch approach is about software and “badges” is
about service. It’s easy to have the control on the former and it’s
much harder to control the latter.
> +# Initial setup
[...]
> +That’s it. From now on, anyone who clones the repository can
> +authenticate it. The first time, run:
> +
> +```
> +guix git authenticate COMMIT SIGNER
> +```
This command does not require much Guix, right? Since the aim of this
post is to convince non-Guix, I would try to extract the Guile code and
have something without the call of “guix”.
If there is a Guile script, named ’git-authenticate’, then any user
putting this script somewhere in PATH would have it. They would just
run:
git authenticate COMMIT SIGNER
then it does all the dance. :-)
For sure, there is a maintenance issue; duplicate code, etc. However,
the call-product would be this autonomous Guile script, infrequently
updated – displaying a HUGE warning and asking to rely on “guix git
authenticate” instead.
I think this strategy would be better if the aim is to reach non-Guix
people. :-)
> +# Interested? You can help!
> +
> +`guix git authenticate` is a great tool that you can start using today
> +so you and fellow co-workers can be sure you’re getting the right code!
> +It solves an important problem that, to my knowledge, hasn’t really been
> +addressed by any other tool.
> +
> +Maybe you’re interested but don’t feel like installing Guix “just” for
> +this tool. Maybe you’re not into Scheme and Lisp and would rather use a
> +tool written in your favorite language. Or maybe you think—and
> +rightfully so—that such a tool ought to be part of Git proper.
Hum, I am doing a big cup of coffee, starting loud music in my
headphones and I would do right now what I am proposing above. :-)
Could you wait one or two days before publishing? I think it could be
nice to come with a Guile script so let me copy/paste some code around.
If there is no news from me, it means: more work than my
constraints. :-)
Cheers,
simon
next prev parent reply other threads:[~2024-05-06 9:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-03 20:57 [bug#70759] [PATCH guix-artwork] website: Add post about ‘guix git authenticate’ Ludovic Courtès
2024-05-04 13:28 ` pelzflorian (Florian Pelz)
2024-05-05 16:31 ` Ludovic Courtès
2024-05-06 9:39 ` Simon Tournier [this message]
2024-05-06 15:49 ` Ludovic Courtès
2024-05-06 16:26 ` Simon Tournier
2024-05-07 12:17 ` bug#70759: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fruvl1no.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=70759@debbugs.gnu.org \
--cc=guix-blog@gnu.org \
--cc=ludo@gnu.org \
--cc=skyvine@protonmail.com \
--cc=~@wolfsden.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).