GNU bug report logs - #61246
[PATCH] gnu: libgit2: Update to 1.5.1.

Previous Next

Full log

Message #80 received at 61246 <at> debbugs.gnu.org (full text, mbox):

From: André Batista <nandre <at> riseup.net>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: 61246 <at> debbugs.gnu.org
Subject: Re: [bug#61246] [PATCH v3 2/3] doc: Explain how to use local guix
 repositories.
Date: Wed, 22 Feb 2023 15:10:39 -0300

Hi Maxim,

sáb 18 fev 2023 às 12:35:32 (1676734532), maxim.cournoyer <at> gmail.com enviou:
> 
> --8<---------------cut here---------------start------------->8---
> Note that you can specify a local directory on the @code{url} field
> above if the channel that you intend to use resides on a local file
> system.  However, in this case @command{guix}@footnote{More accurately,
> @command{git}, which Guix utilizes via the @code{libgit2} library.}
> checks said directory for ownership before any further processing.  This
> means that if the user is not the directory owner, but wants to use it
> as their default, they will then need to set it as a safe directory in
> their global git configuration file.  Otherwise, @command{guix} will
> refuse to even read it.  Supposing your system-wide local directory is
> at @code{/src/guix.git}, you would then create a git configuration file
> at @code{~/.gitconfig} with the following contents:
> --8<---------------cut here---------------end--------------->8---

I don't think it's more accurate to say it's @command{git}.

Looking at the manual, on section 7.4 "Channel Authentication", it says:

---

The @command{guix pull} and @command{guix time-machine} commands
@dfn{authenticate} the code retrieved from channels: they make sure each
commit that is fetched is signed by an authorized developer.  The goal
is to protect from unauthorized modifications to the channel that would
lead users to run malicious code.

As a user, you must provide a @dfn{channel introduction} in your
channels file so that Guix knows how to authenticate its first commit.
A channel specification, including its introduction, looks something
along these lines:

---

Then it goes on to describe how to insert a openpgp fingerprint, a
commit hash, but it does not say it's @command{git}, nor
@command{gnupg}, and it has no word to say about gcrypt library,
libgit2 or guile and IMO it's good as is.

Anyway, would it satisfy your concerns if I were to send another patch
version with the following contents?

--8<---------------cut here---------------start------------->8---
Note that you can specify a local directory on the @code{url} field
above if the channel that you intend to use resides on a local file
system.  However, in this case Guix checks said directory for ownership
before any further processing and it will, by default, abort execution
if the configured directory is neither owned by the calling user nor
has it been configured as a safe directory in the user's global
@command{git} configuration file at @code{~/.gitconfig}, which Guix
honors <at> footnote{If you know your @command{git}, this security measure
mimicks what it does.}.  Supposing your system-wide local channel is
at @code{/src/guix.git}, you would then declare it a safe directory by
adding the following configuration directives to your @command{git}
global configuration file:
--8<---------------cut here---------------end--------------->8---

Cheers,

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.