From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#22883: Trustable "guix pull" Date: Wed, 2 Mar 2016 14:26:42 -0500 Message-ID: <20160302192642.GA16774@jasmine> References: <87io14sqoa.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44303) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1abCQN-0006U1-B4 for bug-guix@gnu.org; Wed, 02 Mar 2016 14:27:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1abCQJ-0008B5-4s for bug-guix@gnu.org; Wed, 02 Mar 2016 14:27:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:60992) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1abCQI-0008Ar-Nd for bug-guix@gnu.org; Wed, 02 Mar 2016 14:27:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1abCQI-000765-IG for bug-guix@gnu.org; Wed, 02 Mar 2016 14:27:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87io14sqoa.fsf@dustycloud.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Christopher Allan Webber Cc: 22883@debbugs.gnu.org On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote: > Right now, when a user does a "guix pull", that pulls down the latest > repository of code from git, which is kept in a tarball. Once you > receive the latest code, this has some checks: what's the hash of each > package, etc. A discussion worth having. But, let's merge this bug into debbugs.gnu.org/22629. Also, we should read "The Update Framework" as requested there. > > Unfortunately, it's delivered over http: > > (define %snapshot-url > ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download" > "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz" > ) > > At minimum we should deliver this over HTTPS, ideally with a single > certificate that is trusted by the user, so the user can't be easily > MITM'ed. > > On top of that, even if you run from git proper what there isn't a test > about is: can you trust those latest commits? Git doesn't really check, > at least by default. > > https://mikegerwitz.com/papers/git-horror-story > > How about this: anyone with commit access should use "signed off by" and > gpg signatures combined. We should keep some list of guix committers' > gpg keys. No commit should be pushed to guix without a gpg signature. > At this point, at least, there is some possibility of auditing things. > > Perhaps before a master.tar.gz is made, there can be some integrity > check of the commits matching the current set of "trusted" keys? > > >