GNU bug report logs - #61246
[PATCH] gnu: libgit2: Update to 1.5.1.

Previous Next

Package: guix-patches;

Reported by: André Batista <nandre <at> riseup.net>

Date: Fri, 3 Feb 2023 03:13:02 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: André Batista <nandre <at> riseup.net>
Cc: 61246 <at> debbugs.gnu.org
Subject: [bug#61246] [PATCH v3 2/3] doc: Explain how to use local guix repositories.
Date: Thu, 23 Feb 2023 17:38:45 -0500

Hi,

André Batista <nandre <at> riseup.net> writes:

> Hi Maxim,
>
> sáb 18 fev 2023 às 12:35:32 (1676734532), maxim.cournoyer <at> gmail.com enviou:
>> (...)
>> >> Perhaps you meant to use @command{git} in the above instead of
>> >> @command{guix}, since it's specific to Git (and the configure snippet is
>> >> for Git) ?
>> >
>> > Not really. It's guix itself and its subcommands which will fail in
>> > this scenario, not git, even though it's because guix is using git
>> > configuration through libgit2. To me it would be misleading to use
>> > @command{git} there. I could come up with a more detailed
>> > description, however, I don't think this would be the place to be
>> > diving on a detailed discussion of guix internals. I'm up to
>> > suggestions though if you think this patch would make people wonder
>> > if it is a typo.
>
> Just to be sure we are on the same page on this: have you followed on
> #55399? AKA Guix has a choice to make here since we could just as
> well decide to diverge from git and disable owner validation checks
> entirely in Guix. On the one side, users wouldn't need to bother with
> git configuration and the manual could do without this patch. On the
> other, would this divergence have any security implications? As far
> as I can see it doesn't, but I may not be seeing far enough and we
> would be hard coding and burying this decision in Guix.
>
> Also we wouldn't be exempting one chosen directory of these checks,
> but disabling it altogether in Guix.

I'm not sure of the security implications this new git switch tries
addressing, so I'd have to read about it more before I can commit on
what's right to do.  In the meantime, we have a recent libgit2 and users
have instructions about dealing with its new security "features", so it
still seems a plus to me.

-- 
Thanks,
Maxim
This bug report was last modified 2 years and 93 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.