GNU bug report logs - #70818
[PATCH] maint: Suggest ‘guix git authenticate’ for initial authentication.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 7 May 2024 14:15:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 70818 <at> debbugs.gnu.org, Florian Pelz <pelzflorian <at> pelzflorian.de>, Skyler Ferris <skyvine <at> protonmail.com>, guix-security <at> gnu.org
Subject: [bug#70818] [PATCH] maint: Suggest ‘guix git authenticate’ for initial authentication.
Date: Wed, 22 May 2024 20:55:16 -0400

Hi!

Ludovic Courtès <ludo <at> gnu.org> writes:

> The previous recommendation, running ‘make authenticate’, was insecure
> because it led users to run code from the very repository they want to
> authenticate:
>
>   https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html
>
> * Makefile.am (commit_v1_0_0, channel_intro_commit)
> (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove.
> * Makefile.am (.git/hooks/%): New target, generalization of previous
> ‘.git/hooks/pre-push’ target.
> (nodist_noinst_DATA): Add ‘.git/hooks/post-merge’.
> * doc/contributing.texi (Building from Git): Suggest ‘guix git
> authenticate’ instead of ‘make authenticate’.
> * etc/git/post-merge: New file.
> * etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make
> authenticate’.
>
> Reported-by: Skyler Ferris <skyvine <at> protonmail.com>
> Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd

Reviewed-by: Maxim Cournoyer <maxim.cournoyer <at> gmail>

(taking into account the typo spotted by Florian).

Thank you for addressing this!

-- 
Thanks,
Maxim
This bug report was last modified 1 year and 53 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.