From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id gG0SFIya314tMQAA0tVLHw (envelope-from ) for ; Tue, 09 Jun 2020 14:19:56 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id aDYfEIya317lSAAA1q6Kng (envelope-from ) for ; Tue, 09 Jun 2020 14:19:56 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B0372940669 for ; Tue, 9 Jun 2020 14:19:55 +0000 (UTC) Received: from localhost ([::1]:59568 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jif6X-000623-23 for larch@yhetil.org; Tue, 09 Jun 2020 10:19:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55060) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jif3m-0002tf-OQ for guix-patches@gnu.org; Tue, 09 Jun 2020 10:17:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:48956) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jif3m-0008Km-Eq for guix-patches@gnu.org; Tue, 09 Jun 2020 10:17:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jif3m-00020a-A9 for guix-patches@gnu.org; Tue, 09 Jun 2020 10:17:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41767] [PATCH 0/9] Authenticate channels Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 09 Jun 2020 14:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41767 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: zimoun Cc: 41767@debbugs.gnu.org Received: via spool by 41767-submit@debbugs.gnu.org id=B41767.15917122047693 (code B ref 41767); Tue, 09 Jun 2020 14:17:02 +0000 Received: (at 41767) by debbugs.gnu.org; 9 Jun 2020 14:16:44 +0000 Received: from localhost ([127.0.0.1]:60502 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jif3T-000200-Jk for submit@debbugs.gnu.org; Tue, 09 Jun 2020 10:16:43 -0400 Received: from eggs.gnu.org ([209.51.188.92]:46908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jif3S-0001zp-4N for 41767@debbugs.gnu.org; Tue, 09 Jun 2020 10:16:42 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:42178) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jif3M-0008Jl-S9; Tue, 09 Jun 2020 10:16:36 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=60624 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jif3M-0005Z6-BH; Tue, 09 Jun 2020 10:16:36 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20200608215224.2672-1-ludo@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 22 Prairial an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 09 Jun 2020 16:16:34 +0200 In-Reply-To: (zimoun's message of "Tue, 9 Jun 2020 12:52:38 +0200") Message-ID: <875zc0jpdp.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: o8AHA223Uv8G Hi Simon, zimoun skribis: > From my understanding, there are 4 situations > > 1- add signed material to a signed channel > 2- introduce authentication to an unsigned channel > 3- add unsigned material to a signed channel > 4- add unsigned material to unsigned channel I=E2=80=99m not sure what material you have in mind. There are in my view only two situations: a channel that can be authenticated (it has signed commits, =E2=80=98.guix-authorizations=E2=80= =99, and an =E2=80=9Cintroduction=E2=80=9D), and one that cannot. The idea is that a channel that can be authenticated would remain that way =E2=80=9Cforever=E2=80=9D. > And I am interested by how it works for the situation #3. For a > concrete example of 3., e.g., > > git clone https://git.savannah.gnu.org/git/guix.git > git worktree add -b foo wk/foo > cd wk/foo > # add my unready stuff > ./pre-inst-env guix pull --branch=3Dfoo --url=3D$PWS -p /tmp/foo > /tmp/foo/bin/guix install unready-stuff > > In this case, do I have to use the option '--disable-authentication'? Yes, you can always use it. > And this is the scenario for almost all the patches on guix-patches; > even if 'pull' is generally not necessary when testing the patch. :-) Right. When hacking, I just use ./pre-inst-env to test my stuff. > Another example is let consider that this channel [2] -- or any other > public one used by labs to publish specific tools; I am not aware > about one by INRIA ;-) -- and let imagine that this channel is > authenticated, i.e., there is a '.guix-authorizations' file. Now, can > I fork this channel and my unsigned material without entering in the > security dance? Do I need to use the option > '--disable-authentication'? Note that this patch set changes nothing for third-party channels. (Attentive readers will find out how to make an authenticated channel, but it=E2=80=99s undocumented and inconvenient to use.) In the future, I think =E2=80=98guix pull=E2=80=99 will merely print a warn= ing when using an unauthenticated channel. That=E2=80=99s something we=E2=80=99ll h= ave to discuss. If you want to fork an =E2=80=9Cauthenticated channel=E2=80=9D, you don=E2= =80=99t have to keep it authenticated. In essence, something who writes: (channel (name 'zimoun) (url "https://zimoun.example.org")) states that they want to fetch code from your channel, but that no authentication will take place because there=E2=80=99s no =E2=80=98introduc= tion=E2=80=99 field. > Moreover, if this forked channel is added to > '~/.config/guix/channels.scm', i.e., in addition to > '%default-channel', what happens for pulling? Well, it is not > possible to pull a signed channel and an "unauthorized fork from a > signed channel" in only one command, right? With this patch set, =E2=80=98guix pull=E2=80=99 just behaves the same as n= ow. In the future, it would probably just print a warning about the unauthenticated channel. > Well, I am sorry to be insistent but this authentication machinery > seems having an hard implication in my workflow and I would like to be > prepared. Definitely, feedback like this is very helpful. I think it=E2=80=99s important for all of us to think about the implication= s. Surely we want security, but not at the cost of usability. Thanks, Ludo=E2=80=99.