From: "Ludovic Courtès" <ludo@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: 22883@debbugs.gnu.org
Subject: bug#22883: Authenticating a Git checkout
Date: Sat, 28 Dec 2019 18:45:36 +0100 [thread overview]
Message-ID: <87k16g9we7.fsf@gnu.org> (raw)
In-Reply-To: <87k16go2oq.fsf@elephly.net> (Ricardo Wurmus's message of "Sat, 28 Dec 2019 17:05:57 +0100")
Hi,
Ricardo Wurmus <rekado@elephly.net> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> The caching implemented in 787766ed1e7f0806a98e696830542da528f957bb
>> makes things acceptable: the first “make authenticate” run takes a bit
>> more than two minutes to check all the commits starting from ‘v1.0.1’,
>> but subsequent runs take a few seconds.
>
> This sounds good.
>
> I wonder how we would integrate this into “guix pull”. For
> authentication to work at all the user would have to have *all* past
> keys. (I’m missing at least one of the keys, because only current keys
> are contained in the keyring on Savannah.)
Right. Clearly we shouldn’t rely on key servers because it’s brittle,
keys might be missing, it requires the whole GnuPG shebang to fetch a
single key, etc.
Instead, what I have in mind is to have a branch in the same repo
containing a complete keyring of the past and current keys (say, one
file per key). The machinery would thus start by loading the keyring
and then use it when verifying signatures.
We can generalize that to all channels: ‘.guix-channel’ could specify
(1) a keyring branch, and (2) the name of a file listing authorized
keys.
How does that sound?
Thanks,
Ludo’.
next prev parent reply other threads:[~2019-12-28 17:46 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 18:03 bug#22883: Trustable "guix pull" Christopher Allan Webber
2016-03-02 19:26 ` Leo Famulari
2016-03-02 21:07 ` Christopher Allan Webber
2016-04-25 22:25 ` Ludovic Courtès
2016-04-26 0:13 ` Leo Famulari
2016-04-26 0:17 ` Thompson, David
2016-04-26 7:12 ` Ludovic Courtès
2016-04-30 4:43 ` Mike Gerwitz
2016-06-03 16:12 ` bug#22883: Authenticating a Git checkout Ludovic Courtès
2016-06-03 20:17 ` Leo Famulari
2016-06-04 11:04 ` Ludovic Courtès
2016-06-04 4:24 ` Mike Gerwitz
2016-06-04 11:17 ` Ludovic Courtès
2016-06-04 12:45 ` ng0
2016-06-06 12:20 ` ng0
2016-06-04 16:14 ` Mike Gerwitz
2016-06-05 20:39 ` Christopher Allan Webber
2016-06-05 21:15 ` Leo Famulari
2016-06-06 2:41 ` Mike Gerwitz
2016-06-06 7:01 ` Ludovic Courtès
2016-07-22 8:22 ` Ludovic Courtès
2016-07-22 12:58 ` Thompson, David
2016-07-22 13:58 ` Ludovic Courtès
2017-10-24 23:30 ` Ludovic Courtès
2019-12-27 19:48 ` Ricardo Wurmus
2019-12-28 14:47 ` Ludovic Courtès
2019-12-28 16:05 ` Ricardo Wurmus
2019-12-28 17:45 ` Ludovic Courtès [this message]
2020-04-30 15:32 ` Ludovic Courtès
2020-05-01 15:46 ` Justus Winter
2020-05-01 16:50 ` Ludovic Courtès
2020-05-01 17:04 ` Ludovic Courtès
2020-05-19 20:23 ` Ludovic Courtès
2020-06-01 14:07 ` bug#22883: Channel introductions Ludovic Courtès
2020-06-02 23:45 ` zimoun
2020-06-03 9:50 ` Ludovic Courtès
2020-06-03 16:20 ` zimoun
2020-06-04 9:55 ` Ludovic Courtès
2020-05-01 17:20 ` bug#22883: Authenticating a Git checkout Ludovic Courtès
2020-05-02 22:02 ` Ludovic Courtès
2020-05-04 8:03 ` Ludovic Courtès
2016-06-01 16:47 ` bug#22883: Discussion of TUF in the context of Git checkout authentication Ludovic Courtès
2016-05-15 12:40 ` bug#22883: Trustable "guix pull" fluxboks
2016-05-16 17:55 ` Thompson, David
2016-05-17 21:19 ` Ludovic Courtès
2016-06-04 16:19 ` Werner Koch
2016-06-04 22:27 ` Ludovic Courtès
2016-06-05 7:51 ` Werner Koch
2016-06-06 21:01 ` Leo Famulari
2016-06-07 8:08 ` bug#22883: gpg2 vs. gpg Ludovic Courtès
2016-06-07 11:25 ` Werner Koch
2016-06-07 12:58 ` ng0
2016-06-05 1:43 ` bug#22883: Trustable "guix pull" Mike Gerwitz
2018-08-28 19:56 ` Vagrant Cascadian
2018-09-02 16:05 ` Ludovic Courtès
2018-09-02 17:15 ` Vagrant Cascadian
2018-09-02 20:07 ` Ludovic Courtès
2019-12-20 22:11 ` bug#22883: Authenticating Git checkouts: step #1 Ludovic Courtès
2019-12-20 22:11 ` Ludovic Courtès
2019-12-21 1:33 ` zimoun
2019-12-21 1:33 ` bug#22883: " zimoun
2019-12-27 12:58 ` Ludovic Courtès
2019-12-27 20:47 ` Ricardo Wurmus
2019-12-27 21:31 ` Alex Griffin
2019-12-30 21:23 ` Ludovic Courtès
2019-12-29 2:45 ` Vagrant Cascadian
2019-12-29 7:34 ` Efraim Flashner
2019-12-29 7:34 ` Efraim Flashner
2019-12-30 21:29 ` Ludovic Courtès
2019-12-30 21:29 ` Ludovic Courtès
2019-12-29 2:45 ` Vagrant Cascadian
2019-12-27 20:47 ` Ricardo Wurmus
2019-12-27 12:58 ` Ludovic Courtès
2019-12-31 19:16 ` Jakub Kądziołka
2020-01-08 13:30 ` Ludovic Courtès
2020-06-02 13:49 ` bug#22883: Authenticating a Git checkout John Soo
2020-06-03 9:33 ` Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 1/9] git-authenticate: Cache takes a key parameter Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 2/9] git-authenticate: 'authenticate-commits' takes a #:keyring parameter Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 3/9] tests: Move OpenPGP helpers to (guix tests gnupg) Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 5/9] channels: Make 'validate-pull' call right after clone/pull Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 6/9] .guix-channel: Add 'keyring-reference' Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 7/9] channels: Automatically add introduction for the official 'guix' channel Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 8/9] pull: Add '--disable-authentication' Ludovic Courtès
2020-06-08 21:54 ` bug#22883: [PATCH 9/9] DROP? channels: Add prehistorical authorizations to <channel-introduction> Ludovic Courtès
2020-06-08 22:04 ` bug#22883: [PATCH 1/9] git-authenticate: Cache takes a key parameter Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k16g9we7.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=22883@debbugs.gnu.org \
--cc=rekado@elephly.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.