GNU bug report logs - #42048
[PATCH 0/6] Authenticated channels for everyone!

Previous Next

Full log

View this message in rfc822 format

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 42048 <at> debbugs.gnu.org
Subject: [bug#42048] [PATCH 6/6] services: provenance: Save channel introductions.
Date: Wed, 01 Jul 2020 14:25:04 +0200

Ludovic Courtès <ludo <at> gnu.org> writes:

> So yes, I suppose we would need to extend the ‘.guix-channel’ format for
> dependencies.  Luckily it should be quite simply because that format is
> extensible; older Guix versions would ignore the ‘introduction’ field.
> It would look something like this:
>
>      (channel
>       (version 0)
>       (dependencies
>        (channel
>         (name some-collection)
>         (url "https://example.org/first-collection.git")
>         (introduction (channel-introduction
>                         (version 0)
>                         (commit "…")
>                         (signer "…"))))
>        (channel
>         (name some-other-collection)
>         (url "https://example.org/second-collection.git")
>         (branch "testing"))))   ;not an authenticated channel
>
> It does mean that a channel can indirectly trick you into turning off
> authentication for a dependent channel.  But I think that’s within the
> expectations for channels: when you choose a channel, you trust it
> enough to run its code.
>
> WDYT?

This sounds reasonable.  I agree that you’ve got to trust the channel
authors anyway, so allowing them to provide the introduction is fair.

-- 
Ricardo

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.