unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: "André Batista" <nandre@riseup.net>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: 61246@debbugs.gnu.org
Subject: [bug#61246] [PATCH v3 2/3] doc: Explain how to use local guix repositories.
Date: Wed, 22 Feb 2023 15:10:39 -0300	[thread overview]
Message-ID: <Y/Zan4oZ1rs96PN6@andel> (raw)
In-Reply-To: <87fsb2q3kr.fsf@gmail.com>

Hi Maxim,

sáb 18 fev 2023 às 12:35:32 (1676734532), maxim.cournoyer@gmail.com enviou:
> 
> --8<---------------cut here---------------start------------->8---
> Note that you can specify a local directory on the @code{url} field
> above if the channel that you intend to use resides on a local file
> system.  However, in this case @command{guix}@footnote{More accurately,
> @command{git}, which Guix utilizes via the @code{libgit2} library.}
> checks said directory for ownership before any further processing.  This
> means that if the user is not the directory owner, but wants to use it
> as their default, they will then need to set it as a safe directory in
> their global git configuration file.  Otherwise, @command{guix} will
> refuse to even read it.  Supposing your system-wide local directory is
> at @code{/src/guix.git}, you would then create a git configuration file
> at @code{~/.gitconfig} with the following contents:
> --8<---------------cut here---------------end--------------->8---

I don't think it's more accurate to say it's @command{git}.

Looking at the manual, on section 7.4 "Channel Authentication", it says:

---

The @command{guix pull} and @command{guix time-machine} commands
@dfn{authenticate} the code retrieved from channels: they make sure each
commit that is fetched is signed by an authorized developer.  The goal
is to protect from unauthorized modifications to the channel that would
lead users to run malicious code.

As a user, you must provide a @dfn{channel introduction} in your
channels file so that Guix knows how to authenticate its first commit.
A channel specification, including its introduction, looks something
along these lines:

---

Then it goes on to describe how to insert a openpgp fingerprint, a
commit hash, but it does not say it's @command{git}, nor
@command{gnupg}, and it has no word to say about gcrypt library,
libgit2 or guile and IMO it's good as is.

Anyway, would it satisfy your concerns if I were to send another patch
version with the following contents?

--8<---------------cut here---------------start------------->8---
Note that you can specify a local directory on the @code{url} field
above if the channel that you intend to use resides on a local file
system.  However, in this case Guix checks said directory for ownership
before any further processing and it will, by default, abort execution
if the configured directory is neither owned by the calling user nor
has it been configured as a safe directory in the user's global
@command{git} configuration file at @code{~/.gitconfig}, which Guix
honors@footnote{If you know your @command{git}, this security measure
mimicks what it does.}.  Supposing your system-wide local channel is
at @code{/src/guix.git}, you would then declare it a safe directory by
adding the following configuration directives to your @command{git}
global configuration file:
--8<---------------cut here---------------end--------------->8---

Cheers,




  reply	other threads:[~2023-02-22 18:12 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-03  3:11 [bug#61246] [PATCH] gnu: libgit2: Update to 1.5.1 André Batista
2023-02-08 15:31 ` Simon Tournier
2023-02-17 19:05   ` [bug#61246] [PATCH v3 0/3] " André Batista
2023-02-17 19:06   ` [bug#61246] [PATCH v3 1/3] gnu: libgit2-1.1: Remove it André Batista
2023-02-17 19:06   ` [bug#61246] [PATCH v3 2/3] doc: Explain how to use local guix repositories André Batista
2023-02-17 19:58     ` Maxim Cournoyer
2023-02-17 23:24       ` André Batista
2023-02-18 17:35         ` Maxim Cournoyer
2023-02-22 18:10           ` André Batista [this message]
2023-02-23 21:59             ` bug#61246: " Maxim Cournoyer
2023-02-23 12:43           ` [bug#61246] " André Batista
2023-02-23 22:38             ` Maxim Cournoyer
2023-02-17 20:45     ` Maxim Cournoyer
2023-02-17 23:31       ` André Batista
2023-02-18 17:43         ` Maxim Cournoyer
2023-02-17 19:07   ` [bug#61246] [PATCH v3 3/3] gnu: libgit2: Update to 1.5.1 André Batista
2023-02-08 15:43 ` [bug#61246] [PATCH v2] " André Batista
2023-02-09  3:25   ` [bug#61246] [PATCH] " Maxim Cournoyer
2023-02-09 12:30     ` zimoun
2023-02-10 17:53     ` André Batista
2023-02-17 19:15       ` André Batista
2023-02-17 19:23         ` André Batista
2023-02-17 19:46         ` Maxim Cournoyer
2023-02-17 23:33           ` André Batista
2023-02-18 18:04           ` Tobias Geerinckx-Rice via Guix-patches via
2023-02-18 18:13             ` Tobias Geerinckx-Rice via Guix-patches via
2023-02-18 20:45               ` Maxim Cournoyer
2023-02-20 10:08                 ` Simon Tournier
2023-02-20 10:05               ` Simon Tournier
2023-02-22 18:17               ` André Batista

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y/Zan4oZ1rs96PN6@andel \
    --to=nandre@riseup.net \
    --cc=61246@debbugs.gnu.org \
    --cc=maxim.cournoyer@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).