From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CHhHASkXSmA0DAAA0tVLHw (envelope-from ) for ; Thu, 11 Mar 2021 13:12:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id qD6VOCgXSmA0HwAAB5/wlQ (envelope-from ) for ; Thu, 11 Mar 2021 13:12:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7BCD720396 for ; Thu, 11 Mar 2021 14:12:08 +0100 (CET) Received: from localhost ([::1]:34394 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lKL6l-000515-NJ for larch@yhetil.org; Thu, 11 Mar 2021 08:12:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:36040) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKL6Y-00050I-GC for guix-devel@gnu.org; Thu, 11 Mar 2021 08:11:54 -0500 Received: from mail-ej1-x629.google.com ([2a00:1450:4864:20::629]:37719) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lKL6O-0004J1-TR for guix-devel@gnu.org; Thu, 11 Mar 2021 08:11:54 -0500 Received: by mail-ej1-x629.google.com with SMTP id bm21so46103808ejb.4 for ; Thu, 11 Mar 2021 05:11:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=ylOuN/uBRLdUYLrBU1colp7kfDvjcFmzbUN4E2IAxwM=; b=dJ2XV+gehhUduJ1ELrKx9H9+Fq65S02nHJI3e8tX2mdchytxVgEiNbENoiFF5Q+7Ho zhSiEXZJd/X330vboxgcaB7YslTsDqM8yZHlsQiVZ1YGjuH87PTaHDsxjhRSJXVMjSDG 63w2Ku3MEhtXcG0gB5/a/FjsfNXKrXKdhF/uZFBExPpmCOLKt+ladxLduJuRakA7HJ7U 15xmgRkldefoCBjg7GDd/jxsXcRUxAWp/x8wJmpbh7/VXwpy3ro5C1ETgKNFf0rHQhub S1WuvLpG8KdhUQGQjmZB7BZm8iHzCdV69KEbVuijFv8Ri+w+71TjSyM0aAoK5hSuEe5q O0mQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ylOuN/uBRLdUYLrBU1colp7kfDvjcFmzbUN4E2IAxwM=; b=XyEOuS/NVuXE4BvPmzjF5ADRNOztq9onMMlY6tCT9rM7GUQCAzjlly+uc7KdFiI7gC u/F9730ER9VtFT1w2vw8odFcHCaT/DObOYRq8I4ZTAgX4yHr/n3VcHSWyDGf6GRmAUg8 d5R8Lq8QiUnXrZawfJa7Vb7zOtbZ7FLVnlmemg41H8hnqK5iH123uavY8whbl0vC+tqa Rq2edR0YJ0n2UvYziPB1VRBmoJTt6CEi83hgiaArpxtl14vJwEIGSg7XfOlu0LaMVUuD sVPVoZ20kJDGgVUJflMi3s845wZXrdIvhh5ss++uxDavBY4CvjhoIIQDNryUXgcoZsH0 tngA== X-Gm-Message-State: AOAM532eFi/el9V2P+ipeMokfkkPMAMEfshiux25NgBpTnrh9bDyLd8G ZJlpp0raDJpwQHNRgTwMjPuE3gwfb7qcx7Xo X-Google-Smtp-Source: ABdhPJx6+oQ0Ccp7JIhGkZcHbVX1E4MfqOq0x0BRh4efdmpy+ds9oMMmb+WI06SZgoTNDTFDbnckZA== X-Received: by 2002:a17:906:3b47:: with SMTP id h7mr2976922ejf.377.1615468302206; Thu, 11 Mar 2021 05:11:42 -0800 (PST) Received: from [192.168.178.20] ([109.90.125.150]) by smtp.gmail.com with ESMTPSA id p24sm1310792edt.5.2021.03.11.05.11.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 11 Mar 2021 05:11:41 -0800 (PST) Subject: Re: Commit pushed to master with unauthorised signature To: Maxime Devos , Tobias Geerinckx-Rice , guix-devel@gnu.org References: <87h7lid7qn.fsf@nckx> <8f198b1a-9e31-bc29-922f-2c1dd404390c@gmail.com> <339a5b55eeb5032216778ba01a17dd603335c095.camel@telenet.be> From: Taylan Kammer Message-ID: <19be2417-8fc3-2b13-0a17-975fe0d5c1cc@gmail.com> Date: Thu, 11 Mar 2021 14:11:38 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: <339a5b55eeb5032216778ba01a17dd603335c095.camel@telenet.be> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::629; envelope-from=taylan.kammer@gmail.com; helo=mail-ej1-x629.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615468328; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=ylOuN/uBRLdUYLrBU1colp7kfDvjcFmzbUN4E2IAxwM=; b=O6ldxAHWg2WFMuO6qdEcDHKY/umtLcSdtE5gegnW6Hr6b48oIGaJjYv4mzfErEuOR9duQk jm9esUSlqjqKttIsxAXNctVzpb5JonjsuPTk3wH9nQfb6tAxOgXwRbJFqHkYzbz16QvE7n 1yCMwUCADPKJEh87tqebquIS6wpMmJXKplYKvJefBcAlhcsQ9oKLNjYwvy4UAw5/xtRLvd 6Q+4GCbNlWDHhvj3Qy1EIS3PpvgHelsbCtj0qgu+MH/gFShJhzSVG3FsW6zjUVLwcoK4CA Bex5o37En2uuQIwkTszUc1FDxYAwi7q8kLw4X2D6h2yRD+I2r8XKNXUKOYqNmA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615468328; a=rsa-sha256; cv=none; b=phHRnkNk5gru6kOoOm6T38SYREAhEOfTyBsSehvK4gwrTnXgpLyQAxgF4j0ddEHvKXiain oiwO3GKivon1iqsmuuCRFgMcGPuR6wEb8ex56bCjU+OJ6JyQeQpbYjbNrXy2PjIYv5yTU0 4R9vDrVgsDLAAk4ak2vaQOMUFgni6zV0/DK0/1zUcJ/jfOGH/0Pz2g3N4ZwFJjPFizmy90 mlnkEvrL8zSK4SIxAx5kH333JUPVO2GZnRI2WKa08/55k2RS/IEN3OlsDiGH/3McCvZL4L SWZj3GuKFC1BxnEdNaUKYUd8T1aYy1UVftWM+aYsJ7vrruQBkeh1HXMH3uGFXg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=dJ2XV+ge; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.09 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=dJ2XV+ge; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 7BCD720396 X-Spam-Score: -3.09 X-Migadu-Scanner: scn0.migadu.com X-TUID: coC6Qyhg8Ga8 On 11.03.2021 08:37, Maxime Devos wrote: > On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote: >> [...] >> Damn, sorry about that. I assumed of course that an improperly signed >> commit would not be accepted, so I didn't pay any special mind. >> >> However, I also assumed that adding a new GPG key to my savannah.gnu.org >> account would be sufficient. > > "guix pull" only looks at the git repo (the .guix-authorizations file + the > keyring branch), and not anything else provided by savannah. Doing so would > introduce an additional point where the "guix pull" mechanism could be > compromised. The git repository could as well have been hosted at > $RANDOM_SPY_AGENCY or $RANDOM_FORGE. > > (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and > ‘7.4 Invoking ‘guix git authenticate’’). Thanks, makes sense. I'm hopping workstations recently, and my general habit is to create new keys on each machine I'm using and register them where ever needed. (E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.) I guess I shouldn't do that with Guix push access and instead keep a GPG key on a USB drive or such. - Taylan