From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id qPpkNIxASmDOQAAA0tVLHw (envelope-from ) for ; Thu, 11 Mar 2021 16:08:44 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id UCUeMIxASmDhTQAAbx9fmQ (envelope-from ) for ; Thu, 11 Mar 2021 16:08:44 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8EB75337A4 for ; Thu, 11 Mar 2021 17:08:44 +0100 (CET) Received: from localhost ([::1]:35844 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lKNrf-0000sh-MB for larch@yhetil.org; Thu, 11 Mar 2021 11:08:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:49752) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKN3K-0004gq-Kd for guix-devel@gnu.org; Thu, 11 Mar 2021 10:16:42 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:35064) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKN3H-00021P-0R for guix-devel@gnu.org; Thu, 11 Mar 2021 10:16:42 -0500 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 6eea9a3b; Thu, 11 Mar 2021 15:16:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:from:message-id; s=dkim; bh=NfN1yG6tMl+s5USdFmgPRCohDxfrPs6DX1LmLMyuxSE=; b=giSTBbAJ5rR0 VhFOvXkCztsHHJnnCEbmPl9YQGecqK5vZc8sfN3GvDMDH5/0cpbHzbTlKWqOEwhe GWsOx0rPeHoL55kBD69+l94T+jbz88/0oOv3KFBi+G2Wpj5xsfs8pQFI9hcnH4fD VYw/zwoi7o8Jpb3u2Jmud171ONHLpHsWTctuRPE/ARriU2JgHn+f98DAFlw1aS/R D6kJNWygI1mviShJbMs3kOyByrBkuBRZQWWuZKZ7yrUz61QgYbWaxy4Foo6cv9g8 rWoTC/Q3WMMIuiB7gQF+KQ7ads2LqcEku8CRMKVN6zkjCqaS1Sd0qCNT7ZBSUTGe 6tZFwqhJ5g== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 5e3302e6 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Thu, 11 Mar 2021 15:16:29 +0000 (UTC) Date: Thu, 11 Mar 2021 10:16:13 -0500 User-Agent: K-9 Mail for Android In-Reply-To: <19be2417-8fc3-2b13-0a17-975fe0d5c1cc@gmail.com> References: <87h7lid7qn.fsf@nckx> <8f198b1a-9e31-bc29-922f-2c1dd404390c@gmail.com> <339a5b55eeb5032216778ba01a17dd603335c095.camel@telenet.be> <19be2417-8fc3-2b13-0a17-975fe0d5c1cc@gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----H7SU8371CLJA53GFAXU5AL7H8P9BW1" Content-Transfer-Encoding: 7bit Subject: Re: Commit pushed to master with unauthorised signature To: guix-devel@gnu.org, Taylan Kammer , Maxime Devos , Tobias Geerinckx-Rice From: Julien Lepiller Message-ID: <1928C3AD-4670-48C8-A75A-5884691F3C81@lepiller.eu> Received-SPF: pass client-ip=2a00:5884:8208::1; envelope-from=julien@lepiller.eu; helo=lepiller.eu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615478924; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=+GdHLp0OHLl07Sw2qQdRDt/NcL3Eo1sVDmRiAh10QB4=; b=p/Q5yoGEkhRG0aGtDVxlz3yFtvXub/NFKHlhrO4S5vDzOQVpYndelkZC2DSHLVkILAmdse au4JdBmwyta5biIphr3D+TtnyFYvSjrONXRHrnQJSOpskTvp14SbIzpsEsIpRSbiJTAW8z nH2scMmWzEWadMapJ47TtQZJfJW43ZClNqFcxaW8/Z6u07/LeALylDPv3Aw6tTkjnLlM15 GXaViHLT/jJ7V4YNpAdsMF+j26HkZhzWdV5yv1o/V1Hvwuz7gi1YDVDpLsUJJvXrp21LYU kdlKSwGRCkOo0rdxNXdl93GPrdxUDMWgQU7NAH+Xlrsw6TwR+wGTkxpjsbWmBA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615478924; a=rsa-sha256; cv=none; b=MFrGQjgFG6Gs8GGqQj5t4VlrlM5RjdXqZI5ptnhcA5Z8vDllg3WQtuzsZPZ5aNjp0iANhp +RGhy5/CoGiCvzD06TvYt2pDdy3PP0I8OM6JxflISYgwKyia+wpCNo52SYX8elPQM3IJUQ 87Iu83onqypggqnmnO2U5YaKXvLCuAxliopA5q9lxtsdZdDjMar8inTSQmlxBnRPiojeLj 5beyMbfU3XtICYEg84VdtFqzaNQF0NGOacsf3jxYcbxklbtaDLLgRqtVh+5zuJOPbswArJ pGOr6/oTevTM8GCqhkM+SKzu1YZPHjzupDu+dCLs7KONJjv+4hBvIrhF5ORJdw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b=giSTBbAJ; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: 0.21 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b=giSTBbAJ; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 8EB75337A4 X-Spam-Score: 0.21 X-Migadu-Scanner: scn0.migadu.com X-TUID: EoXrZXqLl0Iy ------H7SU8371CLJA53GFAXU5AL7H8P9BW1 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Also, make sure to install the pre-push hook, it should not have let you co= mmit without checking your commits were properly recognised=2E Le 11 mars 2021 08:11:38 GMT-05:00, Taylan Kammer a =C3=A9crit : >On 11=2E03=2E2021 08:37, Maxime Devos wrote: >> On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote: >>> [=2E=2E=2E] >>> Damn, sorry about that=2E I assumed of course that an improperly >signed >>> commit would not be accepted, so I didn't pay any special mind=2E >>> >>> However, I also assumed that adding a new GPG key to my >savannah=2Egnu=2Eorg >>> account would be sufficient=2E >>=20 >> "guix pull" only looks at the git repo (the =2Eguix-authorizations file >+ the >> keyring branch), and not anything else provided by savannah=2E Doing >so would >> introduce an additional point where the "guix pull" mechanism could >be >> compromised=2E The git repository could as well have been hosted at >> $RANDOM_SPY_AGENCY or $RANDOM_FORGE=2E >>=20 >> (See =E2=80=9816=2E8 Commit Access=E2=80=99, =E2=80=986=2E8 Specifying = Channel Authorizations=E2=80=99 >and >> =E2=80=987=2E4 Invoking =E2=80=98guix git authenticate=E2=80=99=E2=80= =99)=2E > >Thanks, makes sense=2E > >I'm hopping workstations recently, and my general habit is to create >new >keys on each machine I'm using and register them where ever needed=2E >(E=2Eg=2E =2Essh/authorized_keys on machines I access, GitHub account, et= c=2E) > >I guess I shouldn't do that with Guix push access and instead keep a >GPG >key on a USB drive or such=2E > > >- Taylan ------H7SU8371CLJA53GFAXU5AL7H8P9BW1 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Also, make sure to install the pre-push hook, it s= hould not have let you commit without checking your commits were properly r= ecognised=2E

Le 11 mars 2021 08:11:38 GMT= -05:00, Taylan Kammer <taylan=2Ekammer@gmail=2Ecom> a =C3=A9crit : 
On 11=2E03=2E2021 08:37, Maxime Devos wrote:
On Thu, 2021-03-11 at 00:15 +0=
100, Taylan Kammer wrote:
 [=2E=2E=2E]
 Damn, sorry about that=2E  I assumed of course that an =
improperly signed
 commit would not be accepted, so I didn't pay any spe=
cial mind=2E

 However, I also assumed that adding a new GPG key to m=
y savannah=2Egnu=2Eorg
 account would be sufficient=2E
<=
br>"guix pull" only looks at the git repo (the =2Eguix-authorizations file =
+ the
keyring branch), and not anything else provided by savannah=2E  Do=
ing so would
introduce an additional point where the "guix pull" mechani=
sm could be
compromised=2E  The git repository could as well have been h=
osted at
$RANDOM_SPY_AGENCY or $RANDOM_FORGE=2E

(See =E2=80=9816=
=2E8 Commit Access=E2=80=99, =E2=80=986=2E8 Specifying Channel Authorizatio=
ns=E2=80=99 and
=E2=80=987=2E4 Invoking =E2=80=98guix git authenticate=
=E2=80=99=E2=80=99)=2E

Thanks, makes sense=2E

I'=
m hopping workstations recently, and my general habit is to create new
k=
eys on each machine I'm using and register them where ever needed=2E
(E=
=2Eg=2E =2Essh/authorized_keys on machines I access, GitHub account, etc=2E=
)

I guess I shouldn't do that with Guix push access and instead keep=
 a GPG
key on a USB drive or such=2E


- Taylan

------H7SU8371CLJA53GFAXU5AL7H8P9BW1--