GNU bug report logs -
#57909
Add link to 'pre-inst-env' from 'installing from git' docs
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
merge 57909 57910
thanks
The given example "make authenticate" is insecure, it has a TOCTTOU
problem as indicated at <https://issues.guix.gnu.org/22883#59>:
> Moreover, I don't think running 'make authenticate' after 'git pull'
> would really work -- after you pulled, git-authenticate could've been
> modified, so the verify-commit you did earlier doesn't apply anymore.
The solution that was proposed
> We can solve it by removing ./pre-inst-env from the command in ‘make
> authenticate’.
would be undone by the proposed patch. Even then, it remains insecure,
as an attacker could have modified the "make authenticate", as explained
in more detail at <https://logs.guix.gnu.org/guix/2022-09-14.log#172610>.
As such, I think we really shouldn't recommend "make authenticate" (and
even remove "make authenticate". In fact, I think we should remove
"make authenticate" and replace the instructions with a direct "guix git
authenticate ...".
As such, I propose that:
* you adjust the patch to note that authenticating the checkout is
impossible if you don't already have Guix installed (instead of
recommending the insecure "make authenticate")
* I write a patch removing "make authenticate" and adjusting old uses
of "make authenticate" to "guix git authenticate ...".
Greetings,
Maxime.
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
This bug report was last modified 2 years and 267 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.