From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ricardo Wurmus Subject: bug#22883: Authenticating a Git checkout Date: Fri, 27 Dec 2019 20:48:05 +0100 Message-ID: <87png9o8i2.fsf@elephly.net> References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org> <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org> <87bmkwm8ed.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:43381) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ikvbb-0000cl-LZ for bug-guix@gnu.org; Fri, 27 Dec 2019 14:49:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ikvba-0006FJ-Cj for bug-guix@gnu.org; Fri, 27 Dec 2019 14:49:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:51836) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ikvba-0006FF-9d for bug-guix@gnu.org; Fri, 27 Dec 2019 14:49:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87bmkwm8ed.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 22883@debbugs.gnu.org Ludovic Court=C3=A8s writes: > Hello, > > Just a note for later=E2=80=A6 > > ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > >> With the quick-hack libgit2 bindings attached, I can run this program, >> which authenticates HEAD: > > [...] > >> So I think we can go from here. Our repo would contain a Scheme list of >> authorized OpenPGP fingerprints, and we=E2=80=99d check whether the fing= erprint >> that shows up in =E2=80=98valid-signature=E2=80=99 above is among them > > Storing the list of authorized keys in a file in the repo is > inconvenient: simply to retrieve it, you=E2=80=99d need to make a checkou= t. So > for each commit we verify, we have to check out the whole repo, which is > inefficient. > > While reading > , I > realized we could store in empty Git commit messages, which would > address the above problem (we could use a custom object type too, but > that would be less convenient.) > > So the special commit could look like: > > Authorization > > (commit-authorizations > (authorization-commit (KEY1 KEY2 =E2=80=A6)) > (files ("hydra.gnu.org.pub") (KEY1 KEY2 =E2=80=A6)) > (files _ (KEY1 KEY2 =E2=80=A6))) ;all other files > > That way, to authenticate a commit, we first fetch the latest > authorization commit, read the authorization rules from there, and make > sure that the changes it makes match the rules. > > Thoughts? Does this *have* to be baked into git? Or are we like the carpenter apprentice who just learned how to use a hammer and considers everything to be a kind of nail=E2=80=A6? I see the appeal of having everything in git as that=E2=80=99s where the co= mmits are that should be authenticated, but using special commit messages seems to me like shoehorning update authorization into a code revision tool. You mentioned that checking signatures on commits is also kinda slow because it=E2=80=99s sequential and not cached. I don=E2=80=99t know what = I really want, but is there perhaps a way to aggregate signatures on past commits so that the client=E2=80=99s work is reduced=E2=80=A6? (I=E2=80=99m very glad you=E2=80=99re thinking about this problem and that = you=E2=80=99ve come up with practical steps forward! I don=E2=80=99t know if my thoughts on this = topic are useful.) -- Ricardo