From: Leo Famulari <leo@famulari.name>
To: Taylan Kammer <taylan.kammer@gmail.com>
Cc: guix-devel@gnu.org
Subject: Re: Commit pushed to master with unauthorised signature
Date: Thu, 11 Mar 2021 14:16:35 -0500 [thread overview]
Message-ID: <YEpsk4wCoZ4VQCWA@jasmine.lan> (raw)
In-Reply-To: <8f198b1a-9e31-bc29-922f-2c1dd404390c@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2058 bytes --]
On Thu, Mar 11, 2021 at 12:15:19AM +0100, Taylan Kammer wrote:
> Damn, sorry about that. I assumed of course that an improperly signed
> commit would not be accepted, so I didn't pay any special mind.
The security model is based on the client-side, i.e. `guix pull`. That
way, we don't have to trust the Git repo. We do want to improve the repo
so that it's not possible to push commits signed with unauthorized keys,
but that hasn't been done yet.
> However, I also assumed that adding a new GPG key to my savannah.gnu.org
> account would be sufficient. I did that via the web interface, and
> ensured that the encryption test is successful. The commit is signed
> with that new GPG key.
Adding your key(s) to your Savannah account is a required step...
> Are the GPG keys added to one's Savannah account unrelated to commit
> signing in the Guix repo, or are they not automatically synced, or is
> this a further bug?..
... but, we have a new code authentication system, described in the
manual section Specifying Channel Authorizations:
https://guix.gnu.org/manual/en/html_node/Specifying-Channel-Authorizations.html
Basically, committers' keys must be added to the .guix-authorizations
file in the Git repo before their work will be accepted by `guix pull`.
We are really happy that you are pushing code again :)
When this issue popped up yesterday, I removed your commit access just
to avoid further broken commits. Concretely, this means that I removed
you from the Guix "group" on Savannah.
However, I want to re-add you as a committer. Please read the manual
sections Commit Access. Especially, the part about the pre-push Git
hook, which would have caught this issue before pushing.
https://guix.gnu.org/manual/en/html_node/Commit-Access.html
Let me know when you've read the updated committer workflow guidelines
and installed the pre-push Git hook, and we'll add your new key to
.guix-authorizations, re-add you to the Savannah group, and then we can
continue with our happy hacking :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-03-11 19:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 21:22 Commit pushed to master with unauthorised signature Tobias Geerinckx-Rice
2021-03-10 23:15 ` Taylan Kammer
2021-03-11 7:37 ` Maxime Devos
2021-03-11 13:11 ` Taylan Kammer
2021-03-11 14:59 ` Tobias Geerinckx-Rice
2021-03-11 22:53 ` Taylan Kammer
2021-03-11 15:16 ` Julien Lepiller
2021-03-11 19:16 ` Leo Famulari [this message]
2021-03-11 23:02 ` Taylan Kammer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YEpsk4wCoZ4VQCWA@jasmine.lan \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=taylan.kammer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.