GNU bug report logs - #42048
[PATCH 0/6] Authenticated channels for everyone!

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Thu, 25 Jun 2020 21:05:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #44 received at 42048 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 42048 <at> debbugs.gnu.org
Subject: Re: [bug#42048] [PATCH 6/6] services: provenance: Save channel
 introductions.
Date: Tue, 30 Jun 2020 22:28:52 +0200

Hi Ricardo,

Ricardo Wurmus <rekado <at> elephly.net> skribis:

> I looked through the changes and while I don’t fully understand the need
> for adding the introduction to the provenance data, it looks good to
> me.  Thank you!

Overall the idea is that a channel spec should always come with its
introduction; together they identify the channel and thus should not be
separated.

Adding the introduction to the provenance data allows ‘guix describe’ to
show the introduction, to ensure it’s not lost in transit.

Does that make sense?

> One thing that I worry about is authentication of channels that are
> added as dependencies of user-selected channels.  Let’s say my channel
> “guix-bimsb” depends on “guix-past”.  How will users of “guix-bimsb”
> authenticate the commits of “guix-past” when they don’t know about
> “guix-past” (they only care about “guix-bimsb”), and don’t explicitly
> add introduction information to their channels file?
>
> Is there something that the authors of “guix-bimsb” can do to not only
> indicate the dependency on “guix-past”, but also to attach introduction
> information?  Will the format of the “.guix-channel” need to be
> adjusted?

That’s a very good question and I had completely overlooked it.

With this patch set, someone pulling guix-bimsb would just end up
pulling guix-past unauthenticated; there’s not even a warning.

(There’s currently a warning in (guix channels), but only when pulling
an unauthenticated 'guix channel.  It’s perhaps too early to have that
warning enabled for all channels.  WDYT?)

So yes, I suppose we would need to extend the ‘.guix-channel’ format for
dependencies.  Luckily it should be quite simply because that format is
extensible; older Guix versions would ignore the ‘introduction’ field.
It would look something like this:

     (channel
      (version 0)
      (dependencies
       (channel
        (name some-collection)
        (url "https://example.org/first-collection.git")
        (introduction (channel-introduction
                        (version 0)
                        (commit "…")
                        (signer "…"))))
       (channel
        (name some-other-collection)
        (url "https://example.org/second-collection.git")
        (branch "testing"))))   ;not an authenticated channel

It does mean that a channel can indirectly trick you into turning off
authentication for a dependent channel.  But I think that’s within the
expectations for channels: when you choose a channel, you trust it
enough to run its code.

WDYT?

Thanks for reviewing!

Ludo’.
This bug report was last modified 4 years and 320 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.