GNU bug report logs - #22883
Trustable "guix pull"

Previous Next

Package: guix;

Reported by: Christopher Allan Webber <cwebber <at> dustycloud.org>

Date: Wed, 2 Mar 2016 18:05:02 UTC

Severity: serious

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Mike Gerwitz <mtg <at> gnu.org>
Cc: Christopher Allan Webber <cwebber <at> dustycloud.org>, 22883 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: bug#22883: Authenticating a Git checkout
Date: Mon, 06 Jun 2016 09:01:50 +0200

Hello,

Mike Gerwitz <mtg <at> gnu.org> skribis:

> But there doesn't seem to be any way to secure a git repository against
> a second-preimage attack.

That’s by large beyond the scope of this discussion.  :-)

I think all we want is to allow someone who gets a checkout of Guix to
authenticate the source code, i.e., to make sure it was committed by one
of these awesome Guix hackers and not by Mr. Evildoer.

Ludo’.
This bug report was last modified 5 years and 53 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.