From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#22883: Trustable "guix pull" Date: Mon, 25 Apr 2016 20:13:59 -0400 Message-ID: <20160426001359.GA23088@jasmine> References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52019) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1auqdf-0002FM-L8 for bug-guix@gnu.org; Mon, 25 Apr 2016 20:14:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1auqde-00050U-Ka for bug-guix@gnu.org; Mon, 25 Apr 2016 20:14:03 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:34822) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1auqde-00050O-Ga for bug-guix@gnu.org; Mon, 25 Apr 2016 20:14:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87h9ep8gxk.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 22883@debbugs.gnu.org On Tue, Apr 26, 2016 at 12:25:11AM +0200, Ludovic Courtès wrote: > Hello! > > Christopher Allan Webber skribis: > > > On top of that, even if you run from git proper what there isn't a test > > about is: can you trust those latest commits? Git doesn't really check, > > at least by default. > > > > https://mikegerwitz.com/papers/git-horror-story > > > > How about this: anyone with commit access should use "signed off by" and > > gpg signatures combined. We should keep some list of guix committers' > > gpg keys. No commit should be pushed to guix without a gpg signature. > > At this point, at least, there is some possibility of auditing things. > > To make progress on this front, I’ve decided to start signing all my > commits, so: > > --8<---------------cut here---------------start------------->8--- > $ git config commit.gpgsign > true > $ git config --global user.signingkey > 090B11993D9AEBB5 > --8<---------------cut here---------------end--------------->8--- > > I invite everyone to do the same. Hopefully, within a few weeks, we can > add a commit hook to reject unsigned commits. Okay. > Note that we’ll be signing patches we push on behalf of contributors who > do not have commit access (reviewer’s responsibility). > > Also, rebasing, amending, and cherry-picking code signed by someone else > would lose the original signature, which isn’t great and should be > avoided, if possible. I think it's common to make minor edits when committing on behalf of others. For example, the committer might clean up a commit message or standardize indentation. How should we handle this?