GNU bug report logs - #22883
Trustable "guix pull"

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Severity: serious; Reported by: Christopher Allan Webber <cwebber@HIDDEN>; Keywords: security; dated Wed, 2 Mar 2016 18:05:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 2 Sep 2018 17:15:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 02 13:15:31 2018
Received: from localhost ([127.0.0.1]:43257 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fwVyF-0008SK-2O
	for submit <at> debbugs.gnu.org; Sun, 02 Sep 2018 13:15:31 -0400
Received: from cascadia.aikidev.net ([173.255.214.101]:53700)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <vagrant@HIDDEN>) id 1fwVyD-0008My-Rg
 for 22883 <at> debbugs.gnu.org; Sun, 02 Sep 2018 13:15:30 -0400
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100b])
 (Authenticated sender: vagrant@HIDDEN)
 by cascadia.aikidev.net (Postfix) with ESMTPSA id B15931AAC0;
 Sun,  2 Sep 2018 10:15:23 -0700 (PDT)
From: Vagrant Cascadian <vagrant@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
In-Reply-To: <871sab7ull.fsf@HIDDEN>
References: <87io14sqoa.fsf@HIDDEN> <87tvnemfjh.fsf@HIDDEN>
 <871sab7ull.fsf@HIDDEN>
Date: Sun, 02 Sep 2018 10:15:19 -0700
Message-ID: <87zhwz6ct4.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2018-09-02, Ludovic Court=C3=A8s wrote:
> Vagrant Cascadian <vagrant@HIDDEN> skribis:
>> I really don't like having a custom GNUPGHOME, but I didn't see any
>> other obvious way to pass arguments to git to use a custom keyring. I
>> populated this GNUPGHOME with keys from:
>>
>>   https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&d=
ownload=3D1
>>
>> And then ran gpg --refresh-keys on it, as several keys were
>> outdated/expired.
>
> =E2=80=98gpgv=E2=80=99, which is recommended for this use case, has a =E2=
=80=98--keyring=E2=80=99
> argument.  I suppose we could use that.

I'm not sure how to get git to use gpgv instead of gpg, and extracting
the information out of git and then implementing some external
verification process, while possible, is likely error-prone.

A feature request to git to allow passing gpg arguments or use gpgv
would be the best way forward in the long-term.


live well,
  vagrant

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCW4waqAAKCRDcUY/If5cW
qt79AP4i+7XFfikJPM1ql0QqZ3drbh5EDPHg0GmJPsihQg1A8wEAlfllS1HhHHIw
w+s8pyWXeb6cRJq3GsXgaX19hCaN8g0=
=1ciG
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 2 Sep 2018 16:05:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Sep 02 12:05:53 2018
Received: from localhost ([127.0.0.1]:43214 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fwUsr-0006Ju-Fl
	for submit <at> debbugs.gnu.org; Sun, 02 Sep 2018 12:05:53 -0400
Received: from eggs.gnu.org ([208.118.235.92]:53442)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fwUso-0006Je-QA
 for 22883 <at> debbugs.gnu.org; Sun, 02 Sep 2018 12:05:52 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fwUsi-00016H-Gs
 for 22883 <at> debbugs.gnu.org; Sun, 02 Sep 2018 12:05:45 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:53815)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fwUsi-00016D-DL; Sun, 02 Sep 2018 12:05:44 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40856 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1fwUsi-0006gV-50; Sun, 02 Sep 2018 12:05:44 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Vagrant Cascadian <vagrant@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
References: <87io14sqoa.fsf@HIDDEN> <87tvnemfjh.fsf@HIDDEN>
Date: Sun, 02 Sep 2018 18:05:42 +0200
In-Reply-To: <87tvnemfjh.fsf@HIDDEN> (Vagrant Cascadian's message of
 "Tue, 28 Aug 2018 12:56:02 -0700")
Message-ID: <871sab7ull.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Hi Vagrant,

Vagrant Cascadian <vagrant@HIDDEN> skribis:

> This isn't exactly pretty, and obviously a better long-term solution is
> needed, but I wrote a quick shell script to at least partially addresses
> some my biggest fears with guix pull...
>
> Basically, it updates a git checkout, checks the signatures on the
> commits, looking for the topmost signed commit by a key in a specific
> keyring, and then runs guix pull with that commit.

Thanks for sharing!  Even if it=E2=80=99s not the long-term solution, it=E2=
=80=99s a
useful way to see how to move forward.

> It relies on a custom gpg directory and assumes any of the keys in the
> keyring are valid potential signers of the commits; the web of trust is
> essentially ignored.
>
> I really don't like having a custom GNUPGHOME, but I didn't see any
> other obvious way to pass arguments to git to use a custom keyring. I
> populated this GNUPGHOME with keys from:
>
>   https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&do=
wnload=3D1
>
> And then ran gpg --refresh-keys on it, as several keys were
> outdated/expired.

=E2=80=98gpgv=E2=80=99, which is recommended for this use case, has a =E2=
=80=98--keyring=E2=80=99
argument.  I suppose we could use that.

> (an alternative approach to populate the keyring might be:
> https://gitlab.com/Efraim/guix-keyring)

Indeed, didn=E2=80=99t know about this repo.

Thank you,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 28 Aug 2018 19:56:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Aug 28 15:56:13 2018
Received: from localhost ([127.0.0.1]:35952 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fuk61-0000ec-67
	for submit <at> debbugs.gnu.org; Tue, 28 Aug 2018 15:56:13 -0400
Received: from cascadia.aikidev.net ([173.255.214.101]:49278)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <vagrant@HIDDEN>) id 1fuk5z-0000eP-GB
 for 22883 <at> debbugs.gnu.org; Tue, 28 Aug 2018 15:56:11 -0400
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100b])
 (Authenticated sender: vagrant@HIDDEN)
 by cascadia.aikidev.net (Postfix) with ESMTPSA id 1AC901A9C3
 for <22883 <at> debbugs.gnu.org>; Tue, 28 Aug 2018 12:56:05 -0700 (PDT)
From: Vagrant Cascadian <vagrant@HIDDEN>
To: 22883 <at> debbugs.gnu.org
Subject: Trustable "guix pull"
Date: Tue, 28 Aug 2018 12:56:02 -0700
Message-ID: <87tvnemfjh.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 22883
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

This isn't exactly pretty, and obviously a better long-term solution is
needed, but I wrote a quick shell script to at least partially addresses
some my biggest fears with guix pull...

Basically, it updates a git checkout, checks the signatures on the
commits, looking for the topmost signed commit by a key in a specific
keyring, and then runs guix pull with that commit.


It relies on a custom gpg directory and assumes any of the keys in the
keyring are valid potential signers of the commits; the web of trust is
essentially ignored.

I really don't like having a custom GNUPGHOME, but I didn't see any
other obvious way to pass arguments to git to use a custom keyring. I
populated this GNUPGHOME with keys from:

  https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&down=
load=3D1

And then ran gpg --refresh-keys on it, as several keys were
outdated/expired.

(an alternative approach to populate the keyring might be:
https://gitlab.com/Efraim/guix-keyring)


It also assumes a git checkout where "git pull" pulls from the correct
repository.

It assumes guix --version returns a valid git hash, so would require
some more tweaks to get it working from a fresh guix install.

All those caveats aside, it seems to work well enough for me, and
writing this email took longer than writing the script. :)


live well,
  vagrant


#!/bin/sh

set -x
set -e
workdir=3D/home/vagrant/src/guix
export GNUPGHOME=3D$workdir/verified-pull/gnupg
cd $workdir
git pull
guixversion=3D$(guix --version | awk '/^guix/{print $4}')

commits=3D$(git log ${guixversion}.. --pretty=3D'format:%G?,%H')

# =C2=B7 %G?: show
# "G" for a good (valid) signature,
# "B" for a bad =C2=B7 %signature,
# "U" for a good signature with unknown validity,
# "X" for a good =C2=B7 %signature that has expired,
# "Y" for a good signature made by an expired =C2=B7 %key,
# "R" for a good signature made by a revoked key,
# "E" if the =C2=B7 %signature cannot be checked (e.g. missing key) and
# "N" for no signature

for commitlog in $commits ; do
    commitverify=3D$(echo $commitlog | cut -d , -f 1)
    commit=3D$(echo $commitlog | cut -d , -f 2)
    case $commitverify in
	G|U) git verify-commit $commit && \
		   guix pull --url=3Dfile://$workdir --commit=3D$commit && \
		   exit 0 ;;
    esac
done

echo unable to find signed commit
exit 1

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCW4Wo0gAKCRDcUY/If5cW
qq8CAP9ZpSDbjUqOaX+eF99nvt33GFJTw8l8uqzjgBkqlHyxAwD/bK1JtjWquwYL
QVoWJZx/YyVx+PUjPMNImcRQE7k9wwE=
=uMdS
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 24 Oct 2017 23:30:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 24 19:30:08 2017
Received: from localhost ([127.0.0.1]:60406 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1e78e8-0007id-Au
	for submit <at> debbugs.gnu.org; Tue, 24 Oct 2017 19:30:08 -0400
Received: from hera.aquilenet.fr ([141.255.128.1]:49416)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1e78e7-0007gE-35
 for 22883 <at> debbugs.gnu.org; Tue, 24 Oct 2017 19:30:07 -0400
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 15DFAF4F2
 for <22883 <at> debbugs.gnu.org>; Wed, 25 Oct 2017 01:30:07 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id l4tcWbfM2oic for <22883 <at> debbugs.gnu.org>;
 Wed, 25 Oct 2017 01:30:06 +0200 (CEST)
Received: from ribbon (unknown [216.123.155.195])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 8319A897C
 for <22883 <at> debbugs.gnu.org>; Wed, 25 Oct 2017 01:30:05 +0200 (CEST)
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: 22883 <at> debbugs.gnu.org
Subject: Re: bug#22883: Authenticating a Git checkout
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87wpket748.fsf@HIDDEN>
Date: Tue, 24 Oct 2017 16:30:02 -0700
In-Reply-To: <87wpket748.fsf@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Fri, 22 Jul 2016 10:22:15 +0200")
Message-ID: <87bmkwm8ed.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 22883
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

Hello,

Just a note for later=E2=80=A6

ludo@HIDDEN (Ludovic Court=C3=A8s) skribis:

> With the quick-hack libgit2 bindings attached, I can run this program,
> which authenticates HEAD:

[...]

> So I think we can go from here.  Our repo would contain a Scheme list of
> authorized OpenPGP fingerprints, and we=E2=80=99d check whether the finge=
rprint
> that shows up in =E2=80=98valid-signature=E2=80=99 above is among them

Storing the list of authorized keys in a file in the repo is
inconvenient: simply to retrieve it, you=E2=80=99d need to make a checkout.=
  So
for each commit we verify, we have to check out the whole repo, which is
inefficient.

While reading
<http://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/>, I
realized we could store in empty Git commit messages, which would
address the above problem (we could use a custom object type too, but
that would be less convenient.)

So the special commit could look like:

  Authorization

  (commit-authorizations
    (authorization-commit (KEY1 KEY2 =E2=80=A6))
    (files ("hydra.gnu.org.pub") (KEY1 KEY2 =E2=80=A6))
    (files _ (KEY1 KEY2 =E2=80=A6))) ;all other files

That way, to authenticate a commit, we first fetch the latest
authorization commit, read the authorization rules from there, and make
sure that the changes it makes match the rules.

Thoughts?

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 17 Aug 2016 15:34:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 17 11:34:42 2016
Received: from localhost ([127.0.0.1]:60417 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ba2rZ-0003nh-Py
	for submit <at> debbugs.gnu.org; Wed, 17 Aug 2016 11:34:42 -0400
Received: from savannah.gnu.org ([208.118.235.70]:44620
 helo=frontend.savannah.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <www-data@HIDDEN>) id 1bZxJ3-0008Ib-SJ
 for 22883 <at> debbugs.gnu.org; Wed, 17 Aug 2016 05:38:42 -0400
Received: by frontend.savannah.gnu.org (Postfix, from userid 33)
 id 9BACC85EA6; Wed, 17 Aug 2016 09:38:36 +0000 (UTC)
To: Bob Proulx <bob@HIDDEN>,
 Ludovic =?UTF-8?B?Q291cnTDqHM=?= <ludo@HIDDEN>, 22883 <at> debbugs.gnu.org,
 savannah-help-public@HIDDEN
Subject: [sr #109104] Add Git 'update' hook for Guix repositories
X-PHP-Originating-Script: 0:sendmail.php
From: Ludovic =?UTF-8?B?Q291cnTDqHM=?= <INVALID.NOREPLY@HIDDEN>
X-Savane-Server: savannah.gnu.org:443 [208.118.235.70]
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
X-Savane-Project: administration
X-Savane-Tracker: support
X-Savane-Item-ID: 109104
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
X-Apparently-From: 192.42.116.16 (Savane authenticated user civodul)
Message-Id: <20160817-113836.sv15145.82221@HIDDEN>
References: <20160725-000945.sv15145.13702@HIDDEN>
 <20160725-055142.sv744.4261@HIDDEN>
 <20160725-055748.sv744.57487@HIDDEN>
 <20160725-110023.sv15145.28291@HIDDEN>
 <20160807-015339.sv88130.30875@HIDDEN>
In-Reply-To: <20160807-015339.sv88130.30875@HIDDEN>
Date: Wed, 17 Aug 2016 09:38:36 +0000 (UTC)
X-Spam-Score: -0.5 (/)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Wed, 17 Aug 2016 11:34:41 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.5 (/)

Follow-up Comment #5, sr #109104 (project administration):

Hi Mike,

The hook is indeed super naive.  The goal was just to avoid _accidental_
pushes of unsigned commits, under the assumption that those with commit access
are well-behaved.  :-)

But yeah, the goal is to ultimately scan the Git history and ensure only
authorized keys are used:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#103 .

Thanks,
Ludo'.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?109104>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 7 Aug 2016 06:07:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Aug 07 02:07:50 2016
Received: from localhost ([127.0.0.1]:58313 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bWHFW-0000x8-GV
	for submit <at> debbugs.gnu.org; Sun, 07 Aug 2016 02:07:50 -0400
Received: from savannah.gnu.org ([208.118.235.70]:44262
 helo=frontend.savannah.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <www-data@HIDDEN>) id 1bWH1t-0000d5-Dm
 for 22883 <at> debbugs.gnu.org; Sun, 07 Aug 2016 01:53:45 -0400
Received: by frontend.savannah.gnu.org (Postfix, from userid 33)
 id 0574985EA5; Sun,  7 Aug 2016 05:53:39 +0000 (UTC)
To: Bob Proulx <bob@HIDDEN>,
 Ludovic =?UTF-8?B?Q291cnTDqHM=?= <ludo@HIDDEN>, 22883 <at> debbugs.gnu.org,
 savannah-help-public@HIDDEN
Subject: [sr #109104] Add Git 'update' hook for Guix repositories
X-PHP-Originating-Script: 0:sendmail.php
From: Mike Gerwitz <INVALID.NOREPLY@HIDDEN>
X-Savane-Server: savannah.gnu.org:443 [208.118.235.70]
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
X-Savane-Project: administration
X-Savane-Tracker: support
X-Savane-Item-ID: 109104
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
X-Apparently-From: 89.234.157.254 (Savane authenticated user mikegerwitz)
Message-Id: <20160807-015339.sv88130.30875@HIDDEN>
References: <20160725-000945.sv15145.13702@HIDDEN>
 <20160725-055142.sv744.4261@HIDDEN>
 <20160725-055748.sv744.57487@HIDDEN>
 <20160725-110023.sv15145.28291@HIDDEN>
In-Reply-To: <20160725-110023.sv15145.28291@HIDDEN>
Date: Sun,  7 Aug 2016 05:53:39 +0000 (UTC)
X-Spam-Score: -1.2 (-)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Sun, 07 Aug 2016 02:07:49 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.2 (-)

Follow-up Comment #4, sr #109104 (project administration):

Unfortunately, this hook can be easily defeated.  Here's some example output
from the current tip of master:


$ git cat-file -p HEAD
tree c65e675351fe76b2630df24eddcb2449774eb344
parent e87c7ec2de815f05d7a84e2792e2da700bb26a38
author Leo Famulari <leo@HIDDEN> 1470169005 -0400
committer Leo Famulari <leo@HIDDEN> 1470538536 -0400
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJXpqMoAAoJECZG+jC6yn8Ihn8P+wfUhS5HOL7181KC8ZRdTFC5
 5XjavRq/08LJzO2mxer1r5oVcWYuZAvnPKZltO1vdIp0ncvU40c4nmaNpQiB/w6B
 8slSkqBsoCVE7GEKHoAWju7Rwwlqw4fUSgDWw5JpJ/3S2PhRj+tvy8o/wCeBEwTL
 c90yivRmpKZcdcRgSPHqhHhMJ7lIJxbvHKlb30SPz9vdQTj13EUeeyyJQc/7lu7D
 kUiUu9MOjC3o8dPE8E7otMnD51xfj8SNvs5h7cZAMByS0Qk06RwK+O5POkBlXUMV
 lVxgPJsC7LfqJJ/VGLb5uOIoXMUCGV3mzdDXA+Pe+xvTTGOT+8rNsPl7kwxAGYqC
 vPVrY1dC6CzRX8/7etvb99UHf2nx0NbYRAvetZzh9j6WBbMqGBgHMndRh6i6Y7Fl
 BioG+J22sXCQjf3ydRvjd8cznlfvBCTqo9zSqeoG7Ha/qSh1pX16KAUxLi1YGzK6
 I79iqOEvpoxwS/9Ym+GB+4rLTimqhtDKN7v3XaQudJ8t6hMlGi+pqjiLhNI8q2c9
 dd3RthLu+Zom4duwnGo0BJEVC+CDLYGcdiwCKOpLaI9KtQbCv6useALPBk5RKPHr
 pE1Y7nTmBw7Rxl2GuaNOH9x5cHOuULfWW+HLm3JSwTjD4cpAxnFDP7qYINSo7XGR
 HGWK/43B5syf6FhZws8N
 =h+H0
 -----END PGP SIGNATURE-----

gnu: Add python-pythondialog.

* gnu/packages/python.scm (python-pythondialog): New variable.
(python2-pythondialog): Inherit from PYTHON-PYTHONDIALOG.

Co-authored-by: Vincent Legoll <vincent.legoll@HIDDEN>


The hook currently greps for `^gpgsig '.  It will indeed find a GPG signature
if it exists, but to circumvent it, an attacker need only put `gpgsig' in the
commit message at column 0---the commit messages aren't indented in the
output.

You can replace the entire loop in the hook with this:


git log --pretty='%GK %h %s' "$rev_old^..$rev_new" \
  | awk '/^ / {
           e=1
           print "error: missing signature:" $0 > "/dev/stderr"
         }
         END { exit e }'


If the commit is not signed, then `%GK` (GPG key id) will yield an empty
string.

Here's some example output (run with HEAD~15..):


error: missing signature: 7ccb874 gnu: zsh: Move to shells.scm.
error: missing signature: 7977d76 Update NEWS.


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?109104>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.
Added tag(s) security. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 25 Jul 2016 17:32:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 25 13:32:23 2016
Received: from localhost ([127.0.0.1]:37150 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bRjjr-00040Q-4N
	for submit <at> debbugs.gnu.org; Mon, 25 Jul 2016 13:32:23 -0400
Received: from savannah.gnu.org ([208.118.235.70]:48725
 helo=frontend.savannah.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <www-data@HIDDEN>) id 1bRbkT-00078i-C8
 for 22883 <at> debbugs.gnu.org; Mon, 25 Jul 2016 05:00:29 -0400
Received: by frontend.savannah.gnu.org (Postfix, from userid 33)
 id F035985D74; Mon, 25 Jul 2016 09:00:23 +0000 (UTC)
To: Bob Proulx <bob@HIDDEN>,
 Ludovic =?UTF-8?B?Q291cnTDqHM=?= <ludo@HIDDEN>, 22883 <at> debbugs.gnu.org,
 savannah-help-public@HIDDEN
Subject: [sr #109104] Add Git 'update' hook for Guix repositories
X-PHP-Originating-Script: 0:sendmail.php
From: Ludovic =?UTF-8?B?Q291cnTDqHM=?= <INVALID.NOREPLY@HIDDEN>
X-Savane-Server: savannah.gnu.org:443 [208.118.235.70]
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
X-Savane-Project: administration
X-Savane-Tracker: support
X-Savane-Item-ID: 109104
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
X-Apparently-From: 89.163.135.98 (Savane authenticated user civodul)
Message-Id: <20160725-110023.sv15145.28291@HIDDEN>
References: <20160725-000945.sv15145.13702@HIDDEN>
 <20160725-055142.sv744.4261@HIDDEN>
 <20160725-055748.sv744.57487@HIDDEN>
In-Reply-To: <20160725-055748.sv744.57487@HIDDEN>
Date: Mon, 25 Jul 2016 09:00:23 +0000 (UTC)
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Mon, 25 Jul 2016 13:32:21 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

Follow-up Comment #3, sr #109104 (project administration):

That was fast, thanks a lot, Bob!

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?109104>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 25 Jul 2016 02:40:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jul 24 22:40:35 2016
Received: from localhost ([127.0.0.1]:36199 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bRVop-0006VN-CV
	for submit <at> debbugs.gnu.org; Sun, 24 Jul 2016 22:40:35 -0400
Received: from savannah.gnu.org ([208.118.235.70]:60927
 helo=frontend.savannah.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <www-data@HIDDEN>) id 1bRSLK-00013m-HR
 for 22883 <at> debbugs.gnu.org; Sun, 24 Jul 2016 18:57:54 -0400
Received: by frontend.savannah.gnu.org (Postfix, from userid 33)
 id EE86885D2E; Sun, 24 Jul 2016 22:57:48 +0000 (UTC)
To: Bob Proulx <bob@HIDDEN>,
 Ludovic =?UTF-8?B?Q291cnTDqHM=?= <ludo@HIDDEN>, 22883 <at> debbugs.gnu.org,
 savannah-help-public@HIDDEN
Subject: [sr #109104] Add Git 'update' hook for Guix repositories
X-PHP-Originating-Script: 0:sendmail.php
From: Bob Proulx <INVALID.NOREPLY@HIDDEN>
X-Savane-Server: savannah.gnu.org:443 [208.118.235.70]
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
X-Savane-Project: administration
X-Savane-Tracker: support
X-Savane-Item-ID: 109104
User-Agent: Mozilla/5.0 (X11;
 Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/51.0.2704.79 Safari/537.36
X-Apparently-From: 184.96.192.154 (Savane authenticated user rwp)
Message-Id: <20160725-055748.sv744.57487@HIDDEN>
References: <20160725-000945.sv15145.13702@HIDDEN>
 <20160725-055142.sv744.4261@HIDDEN>
In-Reply-To: <20160725-055142.sv744.4261@HIDDEN>
Date: Sun, 24 Jul 2016 22:57:48 +0000 (UTC)
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Sun, 24 Jul 2016 22:40:33 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

Update of sr #109104 (project administration):

                  Status:             In Progress => Done                   
             Open/Closed:                    Open => Closed                 

    _______________________________________________________

Follow-up Comment #2:

Done. Commits to those repositories will be required to be gpg signed now. Let
us know if you need anything else.


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?109104>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 25 Jul 2016 02:40:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jul 24 22:40:25 2016
Received: from localhost ([127.0.0.1]:36197 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bRVof-0006V1-0c
	for submit <at> debbugs.gnu.org; Sun, 24 Jul 2016 22:40:25 -0400
Received: from savannah.gnu.org ([208.118.235.70]:60567
 helo=frontend.savannah.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <www-data@HIDDEN>) id 1bRSFQ-0000uq-CX
 for 22883 <at> debbugs.gnu.org; Sun, 24 Jul 2016 18:51:48 -0400
Received: by frontend.savannah.gnu.org (Postfix, from userid 33)
 id 157EA85D2E; Sun, 24 Jul 2016 22:51:43 +0000 (UTC)
To: Bob Proulx <bob@HIDDEN>,
 Ludovic =?UTF-8?B?Q291cnTDqHM=?= <ludo@HIDDEN>, 22883 <at> debbugs.gnu.org,
 savannah-help-public@HIDDEN
Subject: [sr #109104] Add Git 'update' hook for Guix repositories
X-PHP-Originating-Script: 0:sendmail.php
From: Bob Proulx <INVALID.NOREPLY@HIDDEN>
X-Savane-Server: savannah.gnu.org:443 [208.118.235.70]
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
X-Savane-Project: administration
X-Savane-Tracker: support
X-Savane-Item-ID: 109104
User-Agent: Mozilla/5.0 (X11;
 Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/51.0.2704.79 Safari/537.36
X-Apparently-From: 184.96.192.154 (Savane authenticated user rwp)
Message-Id: <20160725-055142.sv744.4261@HIDDEN>
References: <20160725-000945.sv15145.13702@HIDDEN>
In-Reply-To: <20160725-000945.sv15145.13702@HIDDEN>
Date: Sun, 24 Jul 2016 22:51:43 +0000 (UTC)
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Sun, 24 Jul 2016 22:40:23 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

Update of sr #109104 (project administration):

                  Status:                    None => In Progress            
             Assigned to:                    None => rwp                    

    _______________________________________________________

Follow-up Comment #1:

Sure thing. I will add it to this list.

guix.git
guix/dhcp.git
guix/gnunet.git
guix/guix-artwork.git
guix/maintenance.git


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?109104>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 25 Jul 2016 02:40:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jul 24 22:40:09 2016
Received: from localhost ([127.0.0.1]:36195 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bRVoP-0006Ud-Jx
	for submit <at> debbugs.gnu.org; Sun, 24 Jul 2016 22:40:09 -0400
Received: from savannah.gnu.org ([208.118.235.70]:56063
 helo=frontend.savannah.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <www-data@HIDDEN>) id 1bRRaq-0008Mi-Vd
 for 22883 <at> debbugs.gnu.org; Sun, 24 Jul 2016 18:09:53 -0400
Received: by frontend.savannah.gnu.org (Postfix, from userid 33)
 id 8A85C85D2E; Sun, 24 Jul 2016 22:09:47 +0000 (UTC)
To: Ludovic =?UTF-8?B?Q291cnTDqHM=?= <ludo@HIDDEN>, 22883 <at> debbugs.gnu.org,
 savannah-help-public@HIDDEN
Subject: [sr #109104] Add Git 'update' hook for Guix repositories
X-PHP-Originating-Script: 0:sendmail.php
From: Ludovic =?UTF-8?B?Q291cnTDqHM=?= <INVALID.NOREPLY@HIDDEN>
X-Savane-Server: savannah.gnu.org:443 [208.118.235.70]
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
X-Savane-Project: administration
X-Savane-Tracker: support
X-Savane-Item-ID: 109104
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
X-Apparently-From: 77.247.181.162 (Savane authenticated user civodul)
Message-Id: <20160725-000945.sv15145.13702@HIDDEN>
References: 
In-Reply-To: 
Date: Sun, 24 Jul 2016 22:09:47 +0000 (UTC)
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Sun, 24 Jul 2016 22:40:08 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

URL:
  <http://savannah.gnu.org/support/?109104>

                 Summary: Add Git 'update' hook for Guix repositories
                 Project: Savannah Administration
            Submitted by: civodul
            Submitted on: Mon 25 Jul 2016 12:09:45 AM CEST
                Category: Source code repositories - developer access
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
             Assigned to: None
        Originator Email: ludo@HIDDEN
        Operating System: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

Hello,

Could you add the attach file as an 'update' hook for all the Guix
repositories?

Thanks in advance,
Ludo'.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Mon 25 Jul 2016 12:09:45 AM CEST  Name: assert-commit-signed  Size: 764B
  By: civodul
Git 'update' hook to reject unsigned commits
<http://savannah.gnu.org/support/download.php?file_id=38011>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?109104>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 22 Jul 2016 13:58:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jul 22 09:58:17 2016
Received: from localhost ([127.0.0.1]:33836 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bQay1-0004Se-Kq
	for submit <at> debbugs.gnu.org; Fri, 22 Jul 2016 09:58:17 -0400
Received: from eggs.gnu.org ([208.118.235.92]:48078)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1bQay0-0004SP-0Z
 for 22883 <at> debbugs.gnu.org; Fri, 22 Jul 2016 09:58:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1bQaxs-0005jt-6Z
 for 22883 <at> debbugs.gnu.org; Fri, 22 Jul 2016 09:58:10 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:39845)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1bQaxs-0005jp-3O; Fri, 22 Jul 2016 09:58:08 -0400
Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:48100 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1bQaxr-00068T-6v; Fri, 22 Jul 2016 09:58:07 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: "Thompson\, David" <dthompson2@HIDDEN>
Subject: Re: bug#22883: Authenticating a Git checkout
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87wpket748.fsf@HIDDEN>
 <CAJ=RwfY5=DPydawwTBEAn_Zd19BDVMQ0JLzrvzViZ3K415i4ew@HIDDEN>
Date: Fri, 22 Jul 2016 15:58:01 +0200
In-Reply-To: <CAJ=RwfY5=DPydawwTBEAn_Zd19BDVMQ0JLzrvzViZ3K415i4ew@HIDDEN>
 (David Thompson's message of "Fri, 22 Jul 2016 08:58:19 -0400")
Message-ID: <87shv1ojva.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.3 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.3 (------)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

"Thompson, David" <dthompson2@HIDDEN> skribis:

> On Fri, Jul 22, 2016 at 4:22 AM, Ludovic Court=C3=A8s <ludo@HIDDEN> wrot=
e:
>
>> It Would Be Nice if the libgit2 bindings were maintained separately.  We
>> can start with just the features we need as (guix git), but if anyone
>> wants to =E2=80=9Cexternalize=E2=80=9D it and improve it, that would be =
more than
>> welcome!
>
> I started a "guile-git" project awhile ago, but didn't get anywhere.
> Maybe I can snarf your bindings as a starting point?

Definitely, that=E2=80=99d be a great contribution!

Among other things, I didn=E2=80=99t pay attention to memory management; so=
me
objects need finalizers, some are documented as having the same life
time as the repository object they come from (a weak-key hash table
could be used to have the life time of Scheme object match that of their
C counterpart.)  Nothing terrible though, and you know all that very
well.

> If the bindings were an external project, would it be an optional or
> mandatory dependency?

It may become a mandatory dependency because we=E2=80=99d use it in =E2=80=
=98guix pull=E2=80=99.

> Would you be OK with licensing the code under LGPLv3 or later?

Fine with me!

Thank you!

Ludo=E2=80=99.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXkiZsAAoJEAkLEZk9muu1k4AP/3FRA7FBU8vCEBnfiidIPw+v
N27ZERJPgfX+RzKgJTiCyitS+12I9/6LDTf/R4YPg3Csq9ZGzruAcz/LO5CuRb36
igLVTWx7OO+95T6r/zikVZGC4XXoPTmYgpKURRM7CZdMUvBIOMGTFOMoGAdflM+Y
x5dwoRZEWrZWamaJyn837TY+9jHIAvbc8m8Pd8s3aOLazxs2K702tL+DLsI4SHwZ
YOjmB6G75+DaV5Q36Yz7hKiJHLMhY/pcT2z88l+Rtf35gifF48+26aYe+f6F0JlZ
PfvUdArv5MRLQ35NnLm/LDcFJhnQKYY25YkKOoIAUe/8OPODGh4dEtxq2pKXeM0C
bZXEdvTgD3/758PSjYv0atc9dCZz/XJcdGDRk/o1AM9U/D9N+Flfz5LCGzUv7Rxu
CSerTzW1O+wH8SUU6N6LSnw5BZ22lnrILLsDNdSABSTz/9Z6tGCztXiLrumVfvWq
tJlsg4nUQRg2zb4TMumhb97RsK8n60atm7Me1ih+wAKMm8CkTdkridYzWW5zJUWF
ndkR/lKtQCE2tsBkKCVCYTssmXoNrkRn/nbbXPOlN+w2Ve0BUf/I3s4z+JVXMo4A
i1lTZJy4WDHhDnyfJISQ4ZyN59/lGQ1u5EvST0YdgqLEqCqplS4AHM3Bz+uIfLNa
gQSWz9kTkowbQwFMmOFm
=3gtX
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 22 Jul 2016 12:58:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jul 22 08:58:26 2016
Received: from localhost ([127.0.0.1]:60868 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bQa26-0002if-Nm
	for submit <at> debbugs.gnu.org; Fri, 22 Jul 2016 08:58:26 -0400
Received: from mail-vk0-f51.google.com ([209.85.213.51]:34123)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dthompson2@HIDDEN>) id 1bQa26-0002iQ-1T
 for 22883 <at> debbugs.gnu.org; Fri, 22 Jul 2016 08:58:26 -0400
Received: by mail-vk0-f51.google.com with SMTP id s189so155520544vkh.1
 for <22883 <at> debbugs.gnu.org>; Fri, 22 Jul 2016 05:58:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=worcester-edu.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=avP7nt6wqTLBhIhjTLmHsD25pcecPM3/djIxuJCuQLM=;
 b=Sz5oYYYKgG52NXOMhoZgGM37RZL3dbmSZ75vXfOrCG59KZOsZ8om6IlhqP5COEEH25
 4Hahjxda7Po+9yL8WokdL3GX4LpzikzcNM1g2dLJDJ/4iFZA7tEQ3U6TBSUnTBHckeBY
 yjtBYG1CgrS/izMKScmXTlaC2LI8YmPRNPNsMBc4ERHVilFiryo6MW0JbkRaPufEosUE
 4H85L+2IDB3gcRmS6m6TYujiMfpIlpcxWuuECys3aRUf1st8vV766zZWMcjSLPBIOOzf
 TKTrU+8Dkh8AfEcMNvzCGrZkt+47oOcurqVlPoOSvWr5mKj6ZiDGL6kZArWYJ2/zqDTp
 YfOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=avP7nt6wqTLBhIhjTLmHsD25pcecPM3/djIxuJCuQLM=;
 b=YEof4h4uZqoabtm0aQXgpBSVsfeJpROa0uhaNU4SVosQZc2FOsdefzks9I2CvcHlQ7
 XGwME92mhGH9OjJ9e7zcQbl2n+LBNS+thPygOJKDBIPbg6wbl6n0tb9kiqIX/71Iv0qj
 7uClmSddBNLZSgdswu8Qmzf0bxhiDC3CUSoucnhoYi/AaiXxqxAoaSfuHiSvzQnfY3EX
 MEcBOhHE+GKk+Kn4+Vf4rwLaBoYhkSH/MSnu1EcBxSLMjlPeM15ppv8BhUeGidoonLIc
 IXbcnVdkdEh2EESBUm35nz1SolJmUQqzY9nvUZJ/pl/P+gvzI2jkYXtdeLjFny74Cj0q
 GK5w==
X-Gm-Message-State: AEkooutpJJs6ab+a0cNY0IshtX/tMmpoBxz9WH+rE01NQkUbzjYwkWLJlYLLLgEq+iwpm583M8CcK6PJx17kfzCO
X-Received: by 10.159.40.72 with SMTP id c66mr1790897uac.48.1469192300269;
 Fri, 22 Jul 2016 05:58:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.53.66 with HTTP; Fri, 22 Jul 2016 05:58:19 -0700 (PDT)
In-Reply-To: <87wpket748.fsf@HIDDEN>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87wpket748.fsf@HIDDEN>
From: "Thompson, David" <dthompson2@HIDDEN>
Date: Fri, 22 Jul 2016 08:58:19 -0400
Message-ID: <CAJ=RwfY5=DPydawwTBEAn_Zd19BDVMQ0JLzrvzViZ3K415i4ew@HIDDEN>
Subject: Re: bug#22883: Authenticating a Git checkout
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Hi Ludo,

This is some awesome work!

On Fri, Jul 22, 2016 at 4:22 AM, Ludovic Court=C3=A8s <ludo@HIDDEN> wrote:

> It Would Be Nice if the libgit2 bindings were maintained separately.  We
> can start with just the features we need as (guix git), but if anyone
> wants to =E2=80=9Cexternalize=E2=80=9D it and improve it, that would be m=
ore than
> welcome!

I started a "guile-git" project awhile ago, but didn't get anywhere.
Maybe I can snarf your bindings as a starting point?  If the bindings
were an external project, would it be an optional or mandatory
dependency?  Would you be OK with licensing the code under LGPLv3 or
later?

Thanks!

- Dave




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 22 Jul 2016 08:22:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jul 22 04:22:49 2016
Received: from localhost ([127.0.0.1]:60782 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bQVjN-0002vu-Cr
	for submit <at> debbugs.gnu.org; Fri, 22 Jul 2016 04:22:49 -0400
Received: from eggs.gnu.org ([208.118.235.92]:37832)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1bQVjK-0002vg-47
 for 22883 <at> debbugs.gnu.org; Fri, 22 Jul 2016 04:22:47 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1bQVjD-0002vh-CQ
 for 22883 <at> debbugs.gnu.org; Fri, 22 Jul 2016 04:22:40 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35753)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1bQViu-0002sq-BN; Fri, 22 Jul 2016 04:22:20 -0400
Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:45552 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1bQVir-0000oA-VN; Fri, 22 Jul 2016 04:22:18 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: 22883 <at> debbugs.gnu.org
Subject: Re: bug#22883: Authenticating a Git checkout
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN>
Date: Fri, 22 Jul 2016 10:22:15 +0200
In-Reply-To: <87bn3iz1xc.fsf_-_@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\?\=
 \=\?utf-8\?Q\?\=22's\?\= message of "Fri,
 03 Jun 2016 18:12:47 +0200")
Message-ID: <87wpket748.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.3 (------)
X-Debbugs-Envelope-To: 22883
Cc: Christopher Allan Webber <cwebber@HIDDEN>,
 Mike Gerwitz <mtg@HIDDEN>, Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.3 (------)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi!

ludo@HIDDEN (Ludovic Court=C3=A8s) skribis:

> Sixth, OK, we=E2=80=99ll use libgit2, and write Guile bindings, maybe bas=
ed on
> the CHICKEN bindings=C2=B2, easy!  Well no, it turns out that libgit2=C2=
=B3 has no
> support for signed commits (the =E2=80=98signature=E2=80=99 abstraction t=
here has
> nothing to do with OpenPGP signatures.)
>
> Seventh, even if it did, what would we do with the raw ASCII-armored
> OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we=E2=80=
=99d
> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library
> in Bigloo?)?!

This bit was too pessimistic it seems.  :-)

With the quick-hack libgit2 bindings attached, I can run this program,
which authenticates HEAD:

--8<---------------cut here---------------start------------->8---
(use-modules (guix git)
             (guix gnupg)
             (srfi srfi-11)
             (srfi srfi-26))

(let* ((repo      (open-repository "."))
       (head      (repository-head repo))
       (commit-id (reference-target head)))
  (let-values (((signature signed-data)
                (commit-signature repo commit-id)))
    (with-fluids ((%default-port-encoding "UTF-8"))
      (call-with-output-file "/tmp/s"
        (cut display signature <>))
      (call-with-output-file "/tmp/d"
        (cut display signed-data <>)))
    (pk (gnupg-verify "/tmp/s" "/tmp/d"))))
--8<---------------cut here---------------end--------------->8---

=E2=80=A6 which gives:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guile t.scm
gpg: Signature made Thu 21 Jul 2016 06:53:27 PM CEST using RSA key ID 3D9AE=
BB5
gpg: Good signature from "Ludovic Court=C3=A8s <ludo@HIDDEN>" [full]
gpg:                 aka "Ludovic Court=C3=A8s <ludo@HIDDEN>" [full]
gpg:                 aka "Ludovic Court=C3=A8s (Inria) <ludovic.courtes@inr=
ia.fr>" [full]

;;; (((unparsed-line "[GNUPG:] NEWSIG") (signature-id "5U2RqMgQpDFefFuBzsYB=
DsrL9xg" "2016-07-21" 1469120007) (good-signature "090B11993D9AEBB5" "Ludov=
ic Court=C3=A8s <ludo@HIDDEN>") (valid-signature "3CE464558A84FDC69DB40CFB=
090B11993D9AEBB5" "2016-07-21" 1469120007) (unparsed-line "[GNUPG:] TRUST_F=
ULLY")))
--8<---------------cut here---------------end--------------->8---

So I think we can go from here.  Our repo would contain a Scheme list of
authorized OpenPGP fingerprints, and we=E2=80=99d check whether the fingerp=
rint
that shows up in =E2=80=98valid-signature=E2=80=99 above is among them (IMO=
 this is
better than using a GnuPG keyring because GnuPG keyrings are opaque
binary blobs=E2=80=94we wouldn=E2=80=99t be able to diff subsequent revisio=
ns of the
keyring=E2=80=94and they contain full OpenPGP keys, including signature pac=
kets
and all that, which we don=E2=80=99t need/want for authorization purposes; =
we
may still want to store a keyring though, but simply for the purposes of
allowing gpg to check signatures.)

Since we just need to read Git objects, after all, another option would
be to avoid libgit2 and read them ourselves, which wouldn=E2=80=99t be hard=
 (I=E2=80=99d
expect ~500 lines of code), would avoid the dependency, and be more
robust (no C!).

However, =E2=80=98guix pull=E2=80=99 can make good use of libgit2 to direct=
ly clone/pull
in the future, so it makes sense to have libgit2 bindings.

It Would Be Nice if the libgit2 bindings were maintained separately.  We
can start with just the features we need as (guix git), but if anyone
wants to =E2=80=9Cexternalize=E2=80=9D it and improve it, that would be mor=
e than
welcome!

Thoughts?

Thanks,
Ludo=E2=80=99.


--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline; filename=git.scm
Content-Transfer-Encoding: quoted-printable
Content-Description: quick hack!

;;; Copyright =C2=A9 Ludovic Court=C3=A8s <ludo@HIDDEN>
;;; Released under the GNU GPL version 3 or later.

(define-module (guix git)
  #:use-module (rnrs bytevectors)
  #:use-module (system foreign)
  #:use-module (ice-9 match)
  #:export (repository?
            open-repository
            reference?
            repository-head
            reference-target
            oid?
            commit-signature))

;; DRAFT!

(define libgit2
  (dynamic-link "/gnu/store/g8r0qwnzf2j17hd84cchc6cmr51sflz8-libgit2-0.24.1=
/lib/libgit2"))

(define (libgit2->procedure return name params)
  (pointer->procedure return (dynamic-func name libgit2) params))

(define-inlinable (libgit2->procedure* name params)
  (let ((proc (libgit2->procedure int name params)))
    (lambda args
      (let ((ret (apply proc args)))
        (unless (zero? ret)
          (throw 'git-error ret))))))

(define initialize!
  (libgit2->procedure int "git_libgit2_init" '()))

(define-syntax define-libgit2-type
  (lambda (s)
    "Define a wrapped pointer type for an opaque type of libgit2."
    (syntax-case s ()
      ((_ name)
       (let ((symbol     (syntax->datum #'name))
             (identifier (lambda (symbol)
                           (datum->syntax #'name symbol))))
         (with-syntax ((rtd    (identifier (symbol-append '< symbol '>)))
                       (pred   (identifier (symbol-append symbol '?)))
                       (wrap   (identifier (symbol-append 'pointer-> symbol=
)))
                       (unwrap (identifier (symbol-append symbol '->pointer=
))))
           #`(define-wrapped-pointer-type rtd
               pred
               wrap unwrap
               (lambda (obj port)
                 (format port "#<git-~a ~a>"
                         #,(symbol->string symbol)
                         (number->string (pointer-address (unwrap obj))
                                         16))))))))))

(define-libgit2-type repository)

(define open-repository
  (let ((proc (libgit2->procedure* "git_repository_open" '(* *))))
    (lambda (file)
      (let ((result (bytevector->pointer (make-bytevector (sizeof '*)))))
        (proc result (string->pointer file))
        (pointer->repository (dereference-pointer result))))))

(define-libgit2-type reference)

(define repository-head
  (let ((proc (libgit2->procedure* "git_repository_head" '(* *))))
    (lambda (repository)
      (let ((result (bytevector->pointer (make-bytevector (sizeof '*)))))
        (proc result (repository->pointer repository))
        (pointer->reference (dereference-pointer result))))))

(define-libgit2-type oid)

(define reference-target
  (let ((proc (libgit2->procedure '* "git_reference_target" '(*))))
    (lambda (reference)
      (pointer->oid (proc (reference->pointer reference))))))

(define-libgit2-type commit)

(define lookup-commit
  (let ((proc (libgit2->procedure* "git_commit_lookup" `(* * *))))
    (lambda (repository oid)
      (let ((result (bytevector->pointer (make-bytevector (sizeof '*)))))
        (proc result (repository->pointer repository) (oid->pointer oid))
        (pointer->commit (dereference-pointer result))))))

(define commit-raw-header
  (let ((proc (libgit2->procedure '* "git_commit_raw_header" '(*))))
    (lambda (commit)
      (pointer->string (proc (commit->pointer commit))))))

(define %buffer-struct                            ;git_buf
  (list '* size_t size_t))

(define free-buffer
  (libgit2->procedure void "git_buf_free" '(*)))

(define (buffer-content buf)
  (match (parse-c-struct buf %buffer-struct)
    ((pointer asize size)
     (pointer->bytevector pointer size))))

(define (buffer-content/string buf)
  (match (parse-c-struct buf %buffer-struct)
    ((pointer asize size)
     (pointer->string pointer size "UTF-8"))))

(define commit-signature
  (let ((proc (libgit2->procedure* "git_commit_extract_signature"
                                   '(* * * * *))))
    (lambda* (repository oid #:optional (field "gpgsig"))
      (let ((signature (make-c-struct %buffer-struct
                                      `(,%null-pointer 0 0)))
            (data      (make-c-struct %buffer-struct
                                      `(,%null-pointer 0 0))))
        (proc signature data (repository->pointer repository)
              (oid->pointer oid)
              (string->pointer field))
        (let ((signature* (buffer-content/string signature))
              (data*      (buffer-content/string data)))
          (free-buffer signature)
          (free-buffer data)
          (values signature* data*))))))


(define-libgit2-type object)

(define GIT_OBJ_ANY -2)

(define lookup-object
  (let ((proc (libgit2->procedure* "git_object_lookup" `(* * * ,int))))
    (lambda* (repository oid #:optional (type GIT_OBJ_ANY))
      (let ((result (bytevector->pointer (make-bytevector (sizeof '*)))))
        (proc result (repository->pointer repository) (oid->pointer oid)
              type)
        (pointer->object (dereference-pointer result))))))

(initialize!)

--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 7 Jun 2016 15:33:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 07 11:33:23 2016
Received: from localhost ([127.0.0.1]:58888 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bAJ0M-0001af-3e
	for submit <at> debbugs.gnu.org; Tue, 07 Jun 2016 11:33:23 -0400
Received: from 93-95-228-168.1984.is ([93.95.228.168]:59829
 helo=beleriand.n0.is) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ng0@HIDDEN>) id 1bAGaa-0005tF-VM
 for 22883 <at> debbugs.gnu.org; Tue, 07 Jun 2016 08:58:38 -0400
Received: by beleriand.n0.is (OpenSMTPD) with ESMTPSA id 61f4d660
 TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO
 for <22883 <at> debbugs.gnu.org>; Tue, 7 Jun 2016 12:58:33 +0000 (UTC)
Date: Tue, 7 Jun 2016 12:58:31 +0000
From: ng0 <ng0@HIDDEN>
To: 22883 <at> debbugs.gnu.org
Subject: Re: bug#22883: gpg2 vs. gpg
Message-ID: <20160607125831.GA20708@khazad-dum>
References: <87io14sqoa.fsf@HIDDEN>
 <87fustj59o.fsf@HIDDEN> <874m98vbcg.fsf@HIDDEN>
 <877fe4hy3y.fsf@HIDDEN>
 <20160606210116.GA14052@jasmine> <87mvmxfmjt.fsf_-_@HIDDEN>
 <87shwp5jgn.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo"
Content-Disposition: inline
In-Reply-To: <87shwp5jgn.fsf@HIDDEN>
X-Spam-Score: 0.4 (/)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Tue, 07 Jun 2016 11:33:20 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.4 (/)


--envbJBWh7q8WU6mo
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2016-06-07(01:25:44+0200), Werner Koch wrote:
> On Tue,  7 Jun 2016 10:08, ludo@HIDDEN said:
>
> > Nevertheless, we could configure GPG 2.x with --enable-gpg2-is-gpg, if
> > that=E2=80=99s what Werner recommends.
>
> It would help to avoid trouble in the future.  Debian will also install
> gpg2 as gpg and provide 1.4 only a non-mandatory package gnupg1.
>
>
> Shalom-Salam,
>
>    Werner

I can add Gentoo to the list of gpg2 -> gpg symlinking systems, though this
is expected with 2.x version and GnuPG having this as quasi default:

~$ ls -al /usr/bin/gpg*
lrwxrwxrwx 1 root root      4 May 20 13:45 /usr/bin/gpg -> gpg2
=2E......
lrwxrwxrwx 1 root root      5 May 20 13:45 /usr/bin/gpgv -> gpgv2

--
=E2=99=A5=E2=92=B6 ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion

--envbJBWh7q8WU6mo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iF4EARYKAAYFAldWxO0ACgkQhhoAchyzrCCULwD+Kq/ctkVbVRJn7LuO0TmJ7zHL
k0rFeRxsNNsd5ZrnH/4A/1di8FNeikPSVWIfzpAKzrMVUteWQUquYpEakJz89SEA
=2BCs
-----END PGP SIGNATURE-----

--envbJBWh7q8WU6mo--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 7 Jun 2016 11:31:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 07 07:31:33 2016
Received: from localhost ([127.0.0.1]:57513 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bAFEL-0003Fu-IT
	for submit <at> debbugs.gnu.org; Tue, 07 Jun 2016 07:31:33 -0400
Received: from kerckhoffs.g10code.com ([217.69.77.222]:54665)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <wk@HIDDEN>) id 1bAFEJ-0003DL-44
 for 22883 <at> debbugs.gnu.org; Tue, 07 Jun 2016 07:31:31 -0400
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2
 (Debian)) id 1bAFEH-00013L-QP
 for <22883 <at> debbugs.gnu.org>; Tue, 07 Jun 2016 13:31:29 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian))
 id 1bAF8i-0005Mj-52; Tue, 07 Jun 2016 13:25:44 +0200
From: Werner Koch <wk@HIDDEN>
To: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: gpg2 vs. gpg
References: <87io14sqoa.fsf@HIDDEN>
 <87fustj59o.fsf@HIDDEN> <874m98vbcg.fsf@HIDDEN>
 <877fe4hy3y.fsf@HIDDEN>
 <20160606210116.GA14052@jasmine> <87mvmxfmjt.fsf_-_@HIDDEN>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read!
 Please send only plain text.
OpenPGP: url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367
Date: Tue, 07 Jun 2016 13:25:44 +0200
In-Reply-To: <87mvmxfmjt.fsf_-_@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s?=
 =?utf-8?Q?=22's?= message of "Tue, 07 Jun 2016 10:08:54 +0200")
Message-ID: <87shwp5jgn.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Justus Winter <justus@HIDDEN>, neal@HIDDEN,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

On Tue,  7 Jun 2016 10:08, ludo@HIDDEN said:

> Nevertheless, we could configure GPG 2.x with --enable-gpg2-is-gpg, if
> that=E2=80=99s what Werner recommends.

It would help to avoid trouble in the future.  Debian will also install
gpg2 as gpg and provide 1.4 only a non-mandatory package gnupg1.


Shalom-Salam,

   Werner

--=20
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 7 Jun 2016 08:09:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 07 04:09:31 2016
Received: from localhost ([127.0.0.1]:57418 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bAC4p-0005Vf-Mu
	for submit <at> debbugs.gnu.org; Tue, 07 Jun 2016 04:09:31 -0400
Received: from eggs.gnu.org ([208.118.235.92]:40577)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1bAC4n-0005VS-MM
 for 22883 <at> debbugs.gnu.org; Tue, 07 Jun 2016 04:09:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1bAC4f-0001Vd-Kj
 for 22883 <at> debbugs.gnu.org; Tue, 07 Jun 2016 04:09:24 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_05,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43752)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1bAC4L-0001O8-5u; Tue, 07 Jun 2016 04:09:01 -0400
Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:36610 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1bAC4J-0007cr-5B; Tue, 07 Jun 2016 04:08:59 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@HIDDEN>
Subject: gpg2 vs. gpg
References: <87io14sqoa.fsf@HIDDEN>
 <87fustj59o.fsf@HIDDEN> <874m98vbcg.fsf@HIDDEN>
 <877fe4hy3y.fsf@HIDDEN>
 <20160606210116.GA14052@jasmine>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 20 Prairial an 224 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Tue, 07 Jun 2016 10:08:54 +0200
In-Reply-To: <20160606210116.GA14052@jasmine> (Leo Famulari's message of "Mon, 
 6 Jun 2016 17:01:16 -0400")
Message-ID: <87mvmxfmjt.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Werner Koch <wk@HIDDEN>, neal@HIDDEN,
 Justus Winter <justus@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

Leo Famulari <leo@HIDDEN> skribis:

> On Sun, Jun 05, 2016 at 09:51:45AM +0200, Werner Koch wrote:
>> Given that Guix is a new distro you should really try to get rid of 1.4
>> and only use 2.1.  For Windows we use the name "gpg" for a long time now
>> and there is a configure option --enable-gpg2-is-gpg to make it easier.
>
> If a Guix user installs GnuPG without specifying the version, which I
> think is the typical behavior, they will get the latest version that we
> package (currently 2.1.12). That's not exactly what you are requesting,
> but it should steer some users towards the modern branch :)
>
> For your reference, we package the classic, stable, and modern branches.

Nevertheless, we could configure GPG 2.x with --enable-gpg2-is-gpg, if
that=E2=80=99s what Werner recommends.

Thanks,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 6 Jun 2016 21:01:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 06 17:01:22 2016
Received: from localhost ([127.0.0.1]:57098 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1bA1eD-0001hb-S8
	for submit <at> debbugs.gnu.org; Mon, 06 Jun 2016 17:01:22 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:41241)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1bA1eC-0001hU-IJ
 for 22883 <at> debbugs.gnu.org; Mon, 06 Jun 2016 17:01:21 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id DA2A220DDC;
 Mon,  6 Jun 2016 17:01:19 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute3.internal (MEProxy); Mon, 06 Jun 2016 17:01:20 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=PBlpD
 fQS0q0NTCx8hvctbYXKwVc=; b=QX3Z3SGLVRuynYtxTE78xubt81uLjLeUQuB2S
 A/BznXyh0LAlpZoX+sO21ZmoVWfivarIDC3DmTgVkq0LkuuOyG6X7pZw0qGxrmmc
 1Ae0sboXLiobW1FyaKkI+QqM7PT1AYxB2bDP39pj1ygjqaqOXjzTtl9DRko9Zc5N
 v6zVWA=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-sasl-enc
 :x-sasl-enc; s=smtpout; bh=PBlpDfQS0q0NTCx8hvctbYXKwVc=; b=fQZfS
 tM7TxLTFPd/FOAeN3GHrQjDKjr0caUGZD9jMQxux6MwmmsxIParPK9Pr3O96h8UT
 FAl39JL1ThrhlkqsIwnyfz8r67KBAbq6l2Si4mXI752HYLSQoPI0M4rRCKa7n6wM
 noS8XJC8vaPi2hl+8WvHoacqpA8nmFfPtQHI9c=
X-Sasl-enc: t1jCgs0lnrKQsZugg/s9seOteDAYdaXFKkZrM3ULxheJ 1465246879
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
 by mail.messagingengine.com (Postfix) with ESMTPA id 60C8EF29FA;
 Mon,  6 Jun 2016 17:01:19 -0400 (EDT)
Date: Mon, 6 Jun 2016 17:01:16 -0400
From: Leo Famulari <leo@HIDDEN>
To: Werner Koch <wk@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
Message-ID: <20160606210116.GA14052@jasmine>
References: <87io14sqoa.fsf@HIDDEN>
 <87fustj59o.fsf@HIDDEN> <874m98vbcg.fsf@HIDDEN>
 <877fe4hy3y.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <877fe4hy3y.fsf@HIDDEN>
User-Agent: Mutt/1.6.0 (2016-04-01)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Justus Winter <justus@HIDDEN>,
 Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>, neal@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Sun, Jun 05, 2016 at 09:51:45AM +0200, Werner Koch wrote:
> Given that Guix is a new distro you should really try to get rid of 1.4
> and only use 2.1.  For Windows we use the name "gpg" for a long time now
> and there is a configure option --enable-gpg2-is-gpg to make it easier.

If a Guix user installs GnuPG without specifying the version, which I
think is the typical behavior, they will get the latest version that we
package (currently 2.1.12). That's not exactly what you are requesting,
but it should steer some users towards the modern branch :)

For your reference, we package the classic, stable, and modern branches.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 6 Jun 2016 15:32:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 06 11:32:17 2016
Received: from localhost ([127.0.0.1]:56921 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9wVj-0000js-0C
	for submit <at> debbugs.gnu.org; Mon, 06 Jun 2016 11:32:17 -0400
Received: from 93-95-228-168.1984.is ([93.95.228.168]:59740
 helo=beleriand.n0.is) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ng0@HIDDEN>) id 1b9tWe-0004Rn-RD
 for 22883 <at> debbugs.gnu.org; Mon, 06 Jun 2016 08:21:02 -0400
Received: by beleriand.n0.is (OpenSMTPD) with ESMTPSA id d07f25d7
 TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO
 for <22883 <at> debbugs.gnu.org>; Mon, 6 Jun 2016 12:20:58 +0000 (UTC)
Date: Mon, 6 Jun 2016 12:20:52 +0000
From: ng0 <ng0@HIDDEN>
To: 22883 <at> debbugs.gnu.org
Subject: Re: bug#22883: Authenticating a Git checkout
Message-ID: <20160606122052.GA21849@khazad-dum>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87bn3hwpgo.fsf@HIDDEN>
 <87wpm519um.fsf@HIDDEN> <20160604122003.GA12299@khazad-dum>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw"
Content-Disposition: inline
In-Reply-To: <20160604122003.GA12299@khazad-dum>
X-Spam-Score: 0.4 (/)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Mon, 06 Jun 2016 11:32:14 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.4 (/)


--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2016-06-04(12:45:16PM+0000), ng0 wrote:
> On 2016-06-04(01:17:53+0200), Ludovic Court=C3=A8s wrote:
> > Hi!
> >
> > Mike Gerwitz <mtg@HIDDEN> skribis:
> >
> > > On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Court=C3=A8s wrote:
> > >> First, =E2=80=98git pull=E2=80=99 doesn=E2=80=99t do it for you, you=
 have to pass =E2=80=98--verify=E2=80=99 and
> > >> there=E2=80=99s no way to set it globally.
> > >
> > > That's unfortunate.  Does your checkout scenario include a fresh clon=
e?
> > > If so, a pull flag wouldn't help there.
> > >
> > > Leo mentioned a patch; I don't think that'd be too difficult (looking=
 at
> > > other config options in builtin/pull.c), and would be a great idea.  =
It
> > > appears to pass it off to merge.c; that might be a useful area to ver=
ify
> > > signatures as well (pull being a fetch && merge/rebase), in a general
> > > sense.
> >
> > Yeah, it wouldn=E2=80=99t be too hard to add to Git proper, I think, bu=
t we
> > can even live without it initially.
> >
> > >> Second, even if it did, it would be a shallow check: as Mike notes in
> > >> <https://mikegerwitz.com/papers/git-horror-story> with the =E2=80=98=
signchk=E2=80=99
> > >> script, you actually have to traverse the whole commit history and
> > >> authenticate them one by one.  But that=E2=80=99s OK, it runs in pre=
sumably less
> > >> than a minute on a repo the size of Guix=E2=80=99s, and we could als=
o stop at
> > >> signed tags to avoid redundant checks.
> > >
> > > Practically speaking, that's probably fine, though note that a signed
> > > tag is just a signed hash of the commit it points to (with some
> > > metadata), so you're trusting the integrity of SHA-1 and nothing
> > > more.
> > >
> > > With that said, the tag points to what will hopefully be a signed
> > > commit, so if you verify the signature of the tag _and_ that commit,
> > > that'd be even better.  Git's use of SHA-1 makes cryptographic
> > > assurances difficult/awkward.
> > >
> > > An occasional traversal of the entire DAG by, say, a CI script would
> > > provide some pretty good confidence.  I wouldn't say it's necessary f=
or
> > > every pull.
> >
> > Agreed.
> >
> > >> Third, as I wrote before=C2=B9, relying on the OpenPGP web of trust =
to
> > >> determine whether a commit is =E2=80=9Cvalid=E2=80=9D is inappropria=
te: what we want to
> > >> know is whether a commit was made by an authorized person, not wheth=
er
> > >> it was made by someone who happens to have an OpenPGP key directly or
> > >> indirectly certified.
> > >
> > > If you want to keep with the convenience of the web of trust, then you
> > > can have a keyring trusting only the appropriate Guix
> > > hackers.  Otherwise, I agree.
> >
> > Oh right, we could do something like:
> >
> >   gpgv --keyring guix-developers.keyring foo
> >
> > (I realize GSRC uses this idiom already when authenticating source
> > tarballs:
> > <http://bzr.savannah.gnu.org/lh/gsrc/trunk/annotate/head:/gar.lib.mk#L2=
17>.)
> >
> > >> Fourth, there=E2=80=99s inversion of control: =E2=80=98git log=E2=80=
=99 & co. call out to =E2=80=98gpg=E2=80=99,
> > >> so if we want to do something different than just =E2=80=98gpg --ver=
ify=E2=80=99, we
> > >> have to put some other =E2=80=98gpg=E2=80=99 script in $PATH.  Blech.
> > >
> > > What types of things are you considering?
> >
> > Something as simple as this:
> >
> > --8<---------------cut here---------------start------------->8---
> > $ git config gpg.program 'gpgv --keyring /dev/null'
> > $ git verify-commit HEAD
> > error: cannot run gpgv --keyring /dev/null: No such file or directory
> > error: could not run gpg.
> > --8<---------------cut here---------------end--------------->8---
> >
> > :-/
> >
> > >> Seventh, even if it did, what would we do with the raw ASCII-armored
> > >> OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we=
=E2=80=99d
> > >> need to implement OpenPGP (in Guile, maybe based on the OpenPGP libr=
ary
> > >> in Bigloo?)?!
> > >
> > > What about gpgme/libgcrypt?[*]
> >
> > I believe, but haven=E2=80=99t checked carefully, that GPGME is too hig=
h-level;
> > libgcrypt is too low-level (it does not implement OpenPGP.)
> >
> > > [*]: I was actually considering writing an FFI for libgcrypt (if it
> > > doesn't exist already), but it made me uncomfortable without studying
> > > whether Guile can make assurances that pointer-referenced data in
> > > "secure" memory will never be copied anywhere else.  I was going to
> > > bring it up in the near future on the guile mailing list after I did
> > > some research myself; no need to derail the discussion here.
> >
> > We have incomplete libgcrypt bindings:
> >
> >   http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm
> >
> > This is used for the authentication of substitutes:
> >
> >   https://www.gnu.org/software/guix/manual/html_node/Substitutes.html
> >
> > Thanks for your feedback!
> >
> > Ludo=E2=80=99.
> >
> >
> >
>
> Aside from other problems,
> Couldn't we create a separate gpg(-1,-2) package which installs its own G=
PG_HOME_DIR
> and keyring (gpg2 or gpg1 must be present for that, for future purposes a
> gpg2 would be best I think)?
>
> One example:
> https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Po=
rtage_tree_snapshots
>
> I know this isn't similar to what we want to do, but it might serve as an=
 example.
> The method described in the link downloads an auto-signed tarball snapsho=
t of the
> portage directory via webrsync. The keys are also visible on the wiki and=
 it is up
> to users to put trust in them, as this method is considered optional.
> The source used for this is https://gitweb.gentoo.org/proj/gentoo-keys.gi=
t/tree/README.md
>
> Maybe this helps a bit.
>


Adding to this what I just found:

http://www.tedunangst.com/flak/post/signify
https://github.com/aperezdc/signify

I am /not/ sure if this will be useful for what guix secure pull wants to a=
chieve,
but maybe there's some inspiration to be found in the source.

--
=E2=99=A5=E2=92=B6 ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion

--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXVWqkAAoJEAKilhUMIBgj9vUP/3KqKW6XkrHKdfJOM4x8+A0q
xzCfyYEFYtYtZEL8mlrg8j82sIgVIF12cH+lrLtbV4hilaedO0GHHjDPOJeA0y8J
nSr1KgmLFedJnyFl69klVgzagoxD9uKwh+U90W7DkWs7LedFhQEdbUaugznBEHST
1/j6cLBRZY1ijmrUVMYpEbSpoJpOBPe4jsN/truRHOsLJvvt43gYVhjwIPnLQFTW
bdDl1q/ey2zYBLjDFWFeQKik+UvDxJqa6HtEjeMD8qGg1PQv/LCEiEmviRq0NpSQ
4jrI8oXa85zJSLWWJgv1DZFUC2OdfUrUqa49KWqvyn+58RQAPn5w/dLAsjeqtzYw
Kiq5OLTGlmieArthE630r87PLOCwh1Ift+RMH/1ps2LCCg9prmOhGg107QyvX67m
0RL6uKt6+M68l6EbykrwkCezqnIj1PnthMkWq3y8b+gs0aNflXJuRyCD5j2pGa6l
HXUQ6HFfRuhu9M+Foe3cv0YIux+pMsy5v29Xo0P5azlybNqfmMXPFwVpoLyQChfT
ROzjvsbrlNRLD0Zg6dw6+0yITzTQMwp+CtJUG8+gYbU7OzFVpAzdnldGkPbkTkKN
mt88xTlZNJ7gq58wR4T0Mr1XA1rxIQlXxXfGF574gFNCXKdb95VyGIs9CXgHnxg9
eD79+POFClIi8x2jyx8/
=vzDH
-----END PGP SIGNATURE-----

--GvXjxJ+pjyke8COw--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 6 Jun 2016 07:02:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 06 03:02:15 2016
Received: from localhost ([127.0.0.1]:56151 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9oYA-0001wH-Ug
	for submit <at> debbugs.gnu.org; Mon, 06 Jun 2016 03:02:15 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39866)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1b9oY9-0001w4-9m
 for 22883 <at> debbugs.gnu.org; Mon, 06 Jun 2016 03:02:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1b9oY1-0005W8-4F
 for 22883 <at> debbugs.gnu.org; Mon, 06 Jun 2016 03:02:08 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45192)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1b9oXr-0005Um-8v; Mon, 06 Jun 2016 03:01:55 -0400
Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:45892 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1b9oXo-0003q7-RK; Mon, 06 Jun 2016 03:01:53 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Mike Gerwitz <mtg@HIDDEN>
Subject: Re: Authenticating a Git checkout
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87bn3hwpgo.fsf@HIDDEN>
 <87wpm519um.fsf@HIDDEN> <87h9d7e5g7.fsf@HIDDEN>
 <877fe3hwe9.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 19 Prairial an 224 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Mon, 06 Jun 2016 09:01:50 +0200
In-Reply-To: <877fe3hwe9.fsf@HIDDEN> (Mike Gerwitz's message of "Sun, 05 Jun
 2016 22:41:02 -0400")
Message-ID: <87poru7qch.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: Christopher Allan Webber <cwebber@HIDDEN>, 22883 <at> debbugs.gnu.org,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

Hello,

Mike Gerwitz <mtg@HIDDEN> skribis:

> But there doesn't seem to be any way to secure a git repository against
> a second-preimage attack.

That=E2=80=99s by large beyond the scope of this discussion.  :-)

I think all we want is to allow someone who gets a checkout of Guix to
authenticate the source code, i.e., to make sure it was committed by one
of these awesome Guix hackers and not by Mr. Evildoer.

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 6 Jun 2016 02:42:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 05 22:42:09 2016
Received: from localhost ([127.0.0.1]:56069 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9kUT-0000ku-DC
	for submit <at> debbugs.gnu.org; Sun, 05 Jun 2016 22:42:09 -0400
Received: from eggs.gnu.org ([208.118.235.92]:44392)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mtg@HIDDEN>) id 1b9kUR-0000kh-Kx
 for 22883 <at> debbugs.gnu.org; Sun, 05 Jun 2016 22:42:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mtg@HIDDEN>) id 1b9kUL-000357-0b
 for 22883 <at> debbugs.gnu.org; Sun, 05 Jun 2016 22:42:02 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41262)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@HIDDEN>)
 id 1b9kU7-00032Q-Kk; Sun, 05 Jun 2016 22:41:47 -0400
Received: from localhost ([::1]:47076 helo=mikegerwitz-pc.gerwitz.local)
 by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <mtg@HIDDEN>)
 id 1b9kU5-0002RU-Tk; Sun, 05 Jun 2016 22:41:46 -0400
From: Mike Gerwitz <mtg@HIDDEN>
To: Christopher Allan Webber <cwebber@HIDDEN>
Subject: Re: Authenticating a Git checkout
In-Reply-To: <87h9d7e5g7.fsf@HIDDEN> (Christopher Allan Webber's
 message of "Sun, 05 Jun 2016 15:39:04 -0500")
Date: Sun, 05 Jun 2016 22:41:02 -0400
Message-ID: <877fe3hwe9.fsf@HIDDEN>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87bn3hwpgo.fsf@HIDDEN>
 <87wpm519um.fsf@HIDDEN> <87h9d7e5g7.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha1; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

--=-=-=
Content-Type: text/plain

On Sun, Jun 05, 2016 at 15:39:04 -0500, Christopher Allan Webber wrote:
> One theoretical optimization: if I verify the DAG, could I store
> somewhere that I've verified from commit cabba6e and upward already, so
> the next time I verify it only has to verify the new commits?

tbh, I haven't given this the amount of thought/research that I feel it
needs.  Unfortunately, you got me thinking, so here's another long
message.

In essence, this is equivalent to Ludo's suggestion of stopping at
the last tag (if you envision, say, tagging the last processed commit)
_provided that_ you also verify the commit that the tag is pointing to.

My short answer is: practically speaking, it's probably fine, because
you're more than likely trying to defend against an attacker that gains
access to the repo, not a second-preimage attack.

*   *
  *

Long answer (braindump):

When I consider the potential threats, I consider that the integrity of
each blob, tree, commit, etc are fairly well assured by their hashes,
but depend entirely on the security of SHA-1, whose future is
increasingly grim.  SHA-1 does just fine for uniquely identifying
objects---and if it didn't, hashes offending preimages would just be
blacklisted.  But it was never intended for security.

The problem is pretty bad: signed commits will ensure the integrity of
the commit itself (the object---as in `git cat-file -p COMMIT`); the
problem is that you don't just have to find a preimage for the hashes
signed in that commit: the tree hash is what really dictates the
content, and that tree hash in turn identifies other trees and blobs:

  $ git cat-file -p 'HEAD^{tree}'
  ...
  100644 blob 9b9481deea8cee4cc61971a752d02c04d5f0654e    configure.ac
  040000 tree f2b4528e1f66f3bbc4742dc4a11bd1283cd475b9    doc
  ...

That blob contains the actual file contents.

So in a large project like Guix, you have so many opportunities!  You
can try to find preimages for any of the trees or blobs _without having
to worry about any signatures_; neither trees nor blobs are signed.

With that said, if I recall correctly (and after a very brief glance at
fetch-pack.c), a successful preimage attack would only affect users who
haven't already fetched the legitimate object---otherwise Git wouldn't
bother fetching it.  I'm not sure if I find comfort in this or not: it's
been used by some to dismiss the problem of collisions, but (assuming
git is silent about it---and why wouldn't it be, as it wouldn't know
better) that's worse, since maintainers and common contributors wouldn't
notice anything wrong at all.  But someone who clones fresh and compiles
would be screwed.

So signing commits almost certainly protects you against someone who
gains access to the repository on a common origin or a
maintainer/contributor's PC, provided that nobody's private key is
compromised.

But there doesn't seem to be any way to secure a git repository against
a second-preimage attack.

So given that, it doesn't really matter if you re-verify all the commits
or not: an attacker doesn't need to even bother with the commit
object.  I guess one option is to keep a local copy of the repository,
clone a fresh copy, and occasionally diff _every_ object (commit, tag,
tree, blob) for differences.

So if Git wants to take this issue seriously, changes have to be
made.  In the meantime, in addition to commit verification, you can
always keep around a local copy of the repository, always clone a copy,
and ensure that builds between the two are reproducible.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXVOK/AAoJEPIruBWO4w6rG6MQAJ5IEnnd/pnQNkQkolSKzFov
wQHYUgmbTyqbVpfsKsH39lCgSo886W0gPcZlE+AGZWSPSS2Mrxgalca74x2vydVS
xcJV+2WFq2sSY+EUfvHZh0m9Q1HMliUrWI8MN+FD4jKuBPGIvzmVFxrJZWdS8b2Z
IoWpFXjqld1vMI5YxT1vX5CYpQwXNDKyc4Kpt5slOXlqKI6HPa5NDfonh+mfCuw7
DIdeS5LCLGu0tHXqDYqedroQS23UXl83lyBF9Hfu/zE/fYhdf6FQT8ijwqxK0pwg
h5WNMXEzXNUIh8JLvV0FUv2eRUM5GxW2o5cr2n745z+nWZgkdn043/e4KrL+OV04
BME9g3FPRDffwPhgFD7f3N6sRIAKko/iNd38lEfIcq3OT7kSxO/NuoCOVZP/pmET
nwOuvN7I5EoyaA7pu8uBL+nQpWrutpC7siLEo7erX9eyuGv36jrd1wr0pOVHr89I
pWs5qSngOWopgpuhCWLgHtkDwOEB/LmTJnQ6OGVNFi4GHGo/iTdrTWOjo1x5hz2H
rDeIqC9/zW9bsRxe8kxT1e9fD6QmxiSxKzh4N8hdGQ/41dYyvEfTyrNGEwETGKZ7
o6hpcPDi+1JWXMOSu0x6Pfkym39KByW/jprp0CfNTeBJj58Ub2ROUKIWgzukM5EW
DMM5VaGw7J3XMSSEO5w6
=H9rN
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 5 Jun 2016 21:15:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 05 17:15:20 2016
Received: from localhost ([127.0.0.1]:55934 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9fOC-0008NP-Nj
	for submit <at> debbugs.gnu.org; Sun, 05 Jun 2016 17:15:20 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52556)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1b9fOB-0008NH-AX
 for 22883 <at> debbugs.gnu.org; Sun, 05 Jun 2016 17:15:19 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id E003820A89;
 Sun,  5 Jun 2016 17:15:18 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute5.internal (MEProxy); Sun, 05 Jun 2016 17:15:18 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=0U2XI
 KgHN4JLTNVPrnJmlI0GxLA=; b=FU5gPLa06DAo8bCgl0cCwfRkUCKEnWWfoo6dY
 viBHGv7xtZQAA3zn9yeAmh2kD89otG5w3yDFfRPKnbv0pYIBkjZtN1OvQaLHSe07
 Hyi5iEaBFNBubv4F6DF1I+k/WQ/KRWYTMWKNiUh1DhF2qaJfcQFyZ1fX5f4fv+vG
 vL7aio=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-sasl-enc
 :x-sasl-enc; s=smtpout; bh=0U2XIKgHN4JLTNVPrnJmlI0GxLA=; b=oWubl
 D7oRUzHiEmnVbWe+MuCpDEhZ2dCL2TneIfrVLl87T6wPKT1YLDy46jaTSfsKU9zj
 d+4oCqv88UCrwXetyMF2Jfc2JNDa+uJkrIAIl3hG7BQVEMmJEjofvTbK1jkQv0im
 DQ/r3+i5Cactql27EReFkAM6sRE8teu7xyP+pc=
X-Sasl-enc: BoBz/KYYHeMSPbIOwwTmbEj5iVRS08iO7mG9P+aUrtO1 1465161318
Received: from localhost (c-68-81-58-201.hsd1.pa.comcast.net [68.81.58.201])
 by mail.messagingengine.com (Postfix) with ESMTPA id 67D59CCD99;
 Sun,  5 Jun 2016 17:15:18 -0400 (EDT)
Date: Sun, 5 Jun 2016 17:15:17 -0400
From: Leo Famulari <leo@HIDDEN>
To: Christopher Allan Webber <cwebber@HIDDEN>
Subject: Re: Authenticating a Git checkout
Message-ID: <20160605211517.GA2928@jasmine>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87bn3hwpgo.fsf@HIDDEN>
 <87wpm519um.fsf@HIDDEN> <87h9d7e5g7.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87h9d7e5g7.fsf@HIDDEN>
User-Agent: Mutt/1.6.0 (2016-04-01)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Mike Gerwitz <mtg@HIDDEN>,
 Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Sun, Jun 05, 2016 at 03:39:04PM -0500, Christopher Allan Webber wrote:
> One theoretical optimization: if I verify the DAG, could I store
> somewhere that I've verified from commit cabba6e and upward already, so
> the next time I verify it only has to verify the new commits?

AIUI `git verify-commit` takes a single commit as an argument, so you
can pass it an argument like this:

$ git verify-commit $(git rev-list deadbeef..cabba6e)

... and it will only look at those. So, you would tailor the range of
commits that you want to verify.

> Mostly makes sense if we're already going down the only mildly
> crazypants direction of implementing our own tooling :)

It seems you'd want a tool that you trust to store a reference to the
latest commit you trust, and use it to create the range of commits you
pass to `git rev-list`.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 5 Jun 2016 20:39:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 05 16:39:08 2016
Received: from localhost ([127.0.0.1]:55918 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9epA-0007Xb-72
	for submit <at> debbugs.gnu.org; Sun, 05 Jun 2016 16:39:08 -0400
Received: from dustycloud.org ([50.116.34.160]:41232)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1b9ep8-0007XT-Nq
 for 22883 <at> debbugs.gnu.org; Sun, 05 Jun 2016 16:39:07 -0400
Received: from oolong (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 6CB3626674;
 Sun,  5 Jun 2016 16:39:05 -0400 (EDT)
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87bn3hwpgo.fsf@HIDDEN> <87wpm519um.fsf@HIDDEN>
User-agent: mu4e 0.9.13; emacs 24.5.1
From: Christopher Allan Webber <cwebber@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: Authenticating a Git checkout
In-reply-to: <87wpm519um.fsf@HIDDEN>
Date: Sun, 05 Jun 2016 15:39:04 -0500
Message-ID: <87h9d7e5g7.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Mike Gerwitz <mtg@HIDDEN>,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Ludovic Courtès writes:

>>> Second, even if it did, it would be a shallow check: as Mike notes in
>>> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’
>>> script, you actually have to traverse the whole commit history and
>>> authenticate them one by one.  But that’s OK, it runs in presumably less
>>> than a minute on a repo the size of Guix’s, and we could also stop at
>>> signed tags to avoid redundant checks.
>>
>> Practically speaking, that's probably fine, though note that a signed
>> tag is just a signed hash of the commit it points to (with some
>> metadata), so you're trusting the integrity of SHA-1 and nothing
>> more.
>>
>> With that said, the tag points to what will hopefully be a signed
>> commit, so if you verify the signature of the tag _and_ that commit,
>> that'd be even better.  Git's use of SHA-1 makes cryptographic
>> assurances difficult/awkward.
>>
>> An occasional traversal of the entire DAG by, say, a CI script would
>> provide some pretty good confidence.  I wouldn't say it's necessary for
>> every pull.
>
> Agreed.

One theoretical optimization: if I verify the DAG, could I store
somewhere that I've verified from commit cabba6e and upward already, so
the next time I verify it only has to verify the new commits?

Mostly makes sense if we're already going down the only mildly
crazypants direction of implementing our own tooling :)

 - Chris





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 5 Jun 2016 07:56:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 05 03:56:30 2016
Received: from localhost ([127.0.0.1]:54863 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9Sv8-0001xi-Fb
	for submit <at> debbugs.gnu.org; Sun, 05 Jun 2016 03:56:30 -0400
Received: from kerckhoffs.g10code.com ([217.69.77.222]:35610)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <wk@HIDDEN>) id 1b9Sv5-0001xW-Ji
 for 22883 <at> debbugs.gnu.org; Sun, 05 Jun 2016 03:56:29 -0400
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2
 (Debian)) id 1b9Sv4-0002JW-5c
 for <22883 <at> debbugs.gnu.org>; Sun, 05 Jun 2016 09:56:26 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian))
 id 1b9SqX-00018G-CX; Sun, 05 Jun 2016 09:51:45 +0200
From: Werner Koch <wk@HIDDEN>
To: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: bug#22883: Trustable "guix pull"
References: <87io14sqoa.fsf@HIDDEN>
 <87fustj59o.fsf@HIDDEN> <874m98vbcg.fsf@HIDDEN>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read!
 Please send only plain text.
OpenPGP: url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367
Date: Sun, 05 Jun 2016 09:51:45 +0200
In-Reply-To: <874m98vbcg.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
 =?utf-8?Q?s?= message of "Sun, 05 Jun 2016 00:27:27 +0200")
Message-ID: <877fe4hy3y.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Justus Winter <justus@HIDDEN>, neal@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

On Sun,  5 Jun 2016 00:27, ludo@HIDDEN said:

> cannot or shouldn=E2=80=99t try to guess what=E2=80=99s =E2=80=9Cbest=E2=
=80=9D, IMO.  So in this case,
> we keep the default names, =E2=80=98gpg2=E2=80=99 and =E2=80=98gpgv2=E2=
=80=99.
>
> Do you think we should rename those files?

Given that Guix is a new distro you should really try to get rid of 1.4
and only use 2.1.  For Windows we use the name "gpg" for a long time now
and there is a configure option --enable-gpg2-is-gpg to make it easier.

> We sign commits and it=E2=80=99s wonderful; now all we need is tools to a=
ctually
> use those signatures to authenticate checkouts.  :-)

Right - Although I sign my commits,e other GnuPG hackers don't do it,
and thus for me there is no strong need to verify the commits. But we
should have these tools.


Shalom-Salam,

   Werner

--=20
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 5 Jun 2016 01:44:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 04 21:44:34 2016
Received: from localhost ([127.0.0.1]:54787 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9N7C-0006Rm-8Y
	for submit <at> debbugs.gnu.org; Sat, 04 Jun 2016 21:44:34 -0400
Received: from eggs.gnu.org ([208.118.235.92]:57319)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mtg@HIDDEN>) id 1b9N79-0006RW-Da
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 21:44:33 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mtg@HIDDEN>) id 1b9N73-0001QR-9s
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 21:44:26 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:47970)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@HIDDEN>)
 id 1b9N6e-0001Pe-P5; Sat, 04 Jun 2016 21:44:00 -0400
Received: from localhost ([::1]:53784 helo=mikegerwitz-pc.gerwitz.local)
 by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <mtg@HIDDEN>)
 id 1b9N6c-0001vb-LQ; Sat, 04 Jun 2016 21:43:58 -0400
From: Mike Gerwitz <mtg@HIDDEN>
To: Werner Koch <wk@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
In-Reply-To: <87fustj59o.fsf@HIDDEN> (Werner Koch's message of
 "Sat, 04 Jun 2016 18:19:31 +0200")
Date: Sat, 04 Jun 2016 21:43:29 -0400
Message-ID: <877fe4v29q.fsf@HIDDEN>
References: <87io14sqoa.fsf@HIDDEN>
 <87fustj59o.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha1; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Justus Winter <justus@HIDDEN>, neal@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sat, Jun 04, 2016 at 18:19:31 +0200, Werner Koch wrote:
> There are no issues with l10n because _all_ scripts SHOULD use gpg with
> the options --status-fd and --with-colons.  That output creates a well
> defined API and we try very hard never to break it.
> [...]
> I have never looked into git to check whether git correctly calls gpg
> to verify signatures.  That should eventually be done.

A quick glance (latest master, gpg-interface.c:208 verify_signed_buffer):

It invokes `gpg --status-fd=3D1 --verify FILE -`, where FILE is a
signature written to a temporary file for the sake of invoking
GPG.  It checks for a non-zero exit code and GOODSIG:

  ret |=3D !strstr(pbuf->buf, "\n[GNUPG:] GOODSIG ");

=2D-=20
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXU4PCAAoJEPIruBWO4w6rvUkQAL+wAjJzmREj9S0QpxTXyuof
X+gSnbbj4BMnpPwHEHZZWJDl0dFaGe2Pa6mhzFHvHi0I4NhN29IxyxyjwPyKnRpt
Ou3Oy/CkVQDg4K0psiP3/80Ga89vydzilsa76ImuJVznd+NwzyaaUqL4rJs7ruPK
xqIHzput0540HmgP8l6BUSE5eMjXAMzT3j0Rg4BVayuV1neP4U+jWfKw7AU7Tpz0
5o9+8ZzbWy6hjp4XhhK5q3q3oYN0/5wzJVpbTvfbMd3mqb28HE4w1Gx9B8/sCkr8
LoMdphhzbmAGIZCHp1L80HYeCpiXxFIG4xacOUGkTQBJaqmuWDYk8YEAWLNq8F5C
BX2ziDaMQDkogp3eUk/Ttj18enmNjyPjU8QS9V8fA6NpYEDJOEvqLn7pYR0zTHXD
GV9XNzB6qoBPVyZsFJ8jPlL0ABQpdPeNpujvHqZIBVbBxcvlsWRjnfCqaHNNU8GR
ywWGRCTErHZhGv8f9v9Rp/++JcR69c33ugqoNQlhNBED9VbGuffwRtsQnNVDMI7p
vrqJB9b4RNeMHD9YTNPUorCXOSfiqkrSWhczZOnpk1ZAAcmG+ct/d71CPMLwyscr
BqOqVn/YqwCEgCQov2wgg3L3yVkxSF3JfpCehA+OvKylEUerpNFGPGxpTY2cCNlD
47dtn5nCiyvDTBs3d7uR
=zLgc
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 4 Jun 2016 22:28:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 04 18:28:09 2016
Received: from localhost ([127.0.0.1]:54704 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9K33-0000A0-Q2
	for submit <at> debbugs.gnu.org; Sat, 04 Jun 2016 18:28:09 -0400
Received: from eggs.gnu.org ([208.118.235.92]:33182)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1b9K32-00009V-3G
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 18:28:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1b9K2s-0000s7-Vm
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 18:27:58 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45986)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1b9K2V-0000pK-EA; Sat, 04 Jun 2016 18:27:31 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:47394 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1b9K2U-0000Vo-HK; Sat, 04 Jun 2016 18:27:30 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Werner Koch <wk@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
References: <87io14sqoa.fsf@HIDDEN>
 <87fustj59o.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 18 Prairial an 224 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Sun, 05 Jun 2016 00:27:27 +0200
In-Reply-To: <87fustj59o.fsf@HIDDEN> (Werner Koch's message of
 "Sat, 04 Jun 2016 18:19:31 +0200")
Message-ID: <874m98vbcg.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Justus Winter <justus@HIDDEN>, neal@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

Hi Werner,

Werner Koch <wk@HIDDEN> skribis:

> I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread
> moved to name gpg2 gpg)

We have a policy to respect what upstream does because in general we
cannot or shouldn=E2=80=99t try to guess what=E2=80=99s =E2=80=9Cbest=E2=80=
=9D, IMO.  So in this case,
we keep the default names, =E2=80=98gpg2=E2=80=99 and =E2=80=98gpgv2=E2=80=
=99.

Do you think we should rename those files?

> because we once wrote it for Debian.  It has the simplest semantics
> and thus best fits your purpose.  We use it in GnuPG itself for the
> speedo build system; it is sufficent to run this simple script:
>
> --8<---------------cut here---------------start------------->8---
>   if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
>     echo "list of software versions is not valid!" >&2
>     exit 1
>   fi
> --8<---------------cut here---------------end--------------->8---

OK.

The problem I mentioned is that git expects to invoke =E2=80=98gpg=E2=80=99=
, not =E2=80=98gpgv=E2=80=99,
and it does not provide a way to pass a different argument list:

  https://github.com/git/git/blob/master/gpg-interface.c#L213

> In all other context I would suggest the use of GPGME to verify
> signatures, because GPGME also evaluates the trust and all the status
> line gpg spits out.
>
> There are no issues with l10n because _all_ scripts SHOULD use gpg with
> the options --status-fd and --with-colons.  That output creates a well
> defined API and we try very hard never to break it.

I=E2=80=99m aware of it, but unfortunately, git invokes gpg on the user=E2=
=80=99s
behalf, and all it gives is the human-readable, l10n=E2=80=99d output:

--8<---------------cut here---------------start------------->8---
$ LANGUAGE=3Dfr_FR git log  --pretty=3D"format:%H %GG" HEAD |head -4
40d71e44f5068b28f48bd131940260cc0ab2e2d1 gpg: Signature faite le Sun 05 Jun=
 2016 12:05:39 AM CEST avec la clef RSA d'identifiant 3D9AEBB5
gpg: Bonne signature de =C2=AB=C2=A0Ludovic Court=C3=A8s <ludo@HIDDEN>=C2=
=A0=C2=BB [totale]
gpg:                 alias =C2=AB=C2=A0Ludovic Court=C3=A8s <ludo@HIDDEN=
rg>=C2=A0=C2=BB [totale]
gpg:                 alias =C2=AB=C2=A0Ludovic Court=C3=A8s (Inria) <ludovi=
c.courtes@HIDDEN>=C2=A0=C2=BB [totale]
--8<---------------cut here---------------end--------------->8---

(Internally it does use =E2=80=98--status-fd=E2=80=99 but that doesn=E2=80=
=99t help us as
users.)

> Mike Gerwitz's article is a bit long read right now.  I have never
> looked into git to check whether git correctly calls gpg to verify
> signatures.  That should eventually be done.  And yes, please sign your
> commits (I use an Ed25519 key stored on a Gnuk token; which works very
> well).

We sign commits and it=E2=80=99s wonderful; now all we need is tools to act=
ually
use those signatures to authenticate checkouts.  :-)

Thanks for taking the time to comment!

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 4 Jun 2016 17:02:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 04 13:02:45 2016
Received: from localhost ([127.0.0.1]:54578 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9EyC-00031j-5U
	for submit <at> debbugs.gnu.org; Sat, 04 Jun 2016 13:02:45 -0400
Received: from 93-95-228-168.1984.is ([93.95.228.168]:59600
 helo=beleriand.n0.is) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ng0@HIDDEN>) id 1b9Ax7-0003kZ-Er
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 08:45:22 -0400
Received: by beleriand.n0.is (OpenSMTPD) with ESMTPSA id 5a01c04b
 TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO
 for <22883 <at> debbugs.gnu.org>; Sat, 4 Jun 2016 12:45:18 +0000 (UTC)
Date: Sat, 4 Jun 2016 12:45:16 +0000
From: ng0 <ng0@HIDDEN>
To: 22883 <at> debbugs.gnu.org
Subject: Re: bug#22883: Authenticating a Git checkout
Message-ID: <20160604122003.GA12299@khazad-dum>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87bn3hwpgo.fsf@HIDDEN>
 <87wpm519um.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="b5gNqxB1S1yM7hjW"
Content-Disposition: inline
In-Reply-To: <87wpm519um.fsf@HIDDEN>
X-Spam-Score: 0.4 (/)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Sat, 04 Jun 2016 13:02:43 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.4 (/)


--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2016-06-04(01:17:53+0200), Ludovic Court=C3=A8s wrote:
> Hi!
>
> Mike Gerwitz <mtg@HIDDEN> skribis:
>
> > On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Court=C3=A8s wrote:
> >> First, =E2=80=98git pull=E2=80=99 doesn=E2=80=99t do it for you, you h=
ave to pass =E2=80=98--verify=E2=80=99 and
> >> there=E2=80=99s no way to set it globally.
> >
> > That's unfortunate.  Does your checkout scenario include a fresh clone?
> > If so, a pull flag wouldn't help there.
> >
> > Leo mentioned a patch; I don't think that'd be too difficult (looking at
> > other config options in builtin/pull.c), and would be a great idea.  It
> > appears to pass it off to merge.c; that might be a useful area to verify
> > signatures as well (pull being a fetch && merge/rebase), in a general
> > sense.
>
> Yeah, it wouldn=E2=80=99t be too hard to add to Git proper, I think, but =
we
> can even live without it initially.
>
> >> Second, even if it did, it would be a shallow check: as Mike notes in
> >> <https://mikegerwitz.com/papers/git-horror-story> with the =E2=80=98si=
gnchk=E2=80=99
> >> script, you actually have to traverse the whole commit history and
> >> authenticate them one by one.  But that=E2=80=99s OK, it runs in presu=
mably less
> >> than a minute on a repo the size of Guix=E2=80=99s, and we could also =
stop at
> >> signed tags to avoid redundant checks.
> >
> > Practically speaking, that's probably fine, though note that a signed
> > tag is just a signed hash of the commit it points to (with some
> > metadata), so you're trusting the integrity of SHA-1 and nothing
> > more.
> >
> > With that said, the tag points to what will hopefully be a signed
> > commit, so if you verify the signature of the tag _and_ that commit,
> > that'd be even better.  Git's use of SHA-1 makes cryptographic
> > assurances difficult/awkward.
> >
> > An occasional traversal of the entire DAG by, say, a CI script would
> > provide some pretty good confidence.  I wouldn't say it's necessary for
> > every pull.
>
> Agreed.
>
> >> Third, as I wrote before=C2=B9, relying on the OpenPGP web of trust to
> >> determine whether a commit is =E2=80=9Cvalid=E2=80=9D is inappropriate=
: what we want to
> >> know is whether a commit was made by an authorized person, not whether
> >> it was made by someone who happens to have an OpenPGP key directly or
> >> indirectly certified.
> >
> > If you want to keep with the convenience of the web of trust, then you
> > can have a keyring trusting only the appropriate Guix
> > hackers.  Otherwise, I agree.
>
> Oh right, we could do something like:
>
>   gpgv --keyring guix-developers.keyring foo
>
> (I realize GSRC uses this idiom already when authenticating source
> tarballs:
> <http://bzr.savannah.gnu.org/lh/gsrc/trunk/annotate/head:/gar.lib.mk#L217=
>.)
>
> >> Fourth, there=E2=80=99s inversion of control: =E2=80=98git log=E2=80=
=99 & co. call out to =E2=80=98gpg=E2=80=99,
> >> so if we want to do something different than just =E2=80=98gpg --verif=
y=E2=80=99, we
> >> have to put some other =E2=80=98gpg=E2=80=99 script in $PATH.  Blech.
> >
> > What types of things are you considering?
>
> Something as simple as this:
>
> --8<---------------cut here---------------start------------->8---
> $ git config gpg.program 'gpgv --keyring /dev/null'
> $ git verify-commit HEAD
> error: cannot run gpgv --keyring /dev/null: No such file or directory
> error: could not run gpg.
> --8<---------------cut here---------------end--------------->8---
>
> :-/
>
> >> Seventh, even if it did, what would we do with the raw ASCII-armored
> >> OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we=E2=
=80=99d
> >> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library
> >> in Bigloo?)?!
> >
> > What about gpgme/libgcrypt?[*]
>
> I believe, but haven=E2=80=99t checked carefully, that GPGME is too high-=
level;
> libgcrypt is too low-level (it does not implement OpenPGP.)
>
> > [*]: I was actually considering writing an FFI for libgcrypt (if it
> > doesn't exist already), but it made me uncomfortable without studying
> > whether Guile can make assurances that pointer-referenced data in
> > "secure" memory will never be copied anywhere else.  I was going to
> > bring it up in the near future on the guile mailing list after I did
> > some research myself; no need to derail the discussion here.
>
> We have incomplete libgcrypt bindings:
>
>   http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm
>
> This is used for the authentication of substitutes:
>
>   https://www.gnu.org/software/guix/manual/html_node/Substitutes.html
>
> Thanks for your feedback!
>
> Ludo=E2=80=99.
>
>
>

Aside from other problems,
Couldn't we create a separate gpg(-1,-2) package which installs its own GPG=
_HOME_DIR
and keyring (gpg2 or gpg1 must be present for that, for future purposes a
gpg2 would be best I think)?

One example:
https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Port=
age_tree_snapshots

I know this isn't similar to what we want to do, but it might serve as an e=
xample.
The method described in the link downloads an auto-signed tarball snapshot =
of the
portage directory via webrsync. The keys are also visible on the wiki and i=
t is up
to users to put trust in them, as this method is considered optional.
The source used for this is https://gitweb.gentoo.org/proj/gentoo-keys.git/=
tree/README.md

Maybe this helps a bit.

--
=E2=99=A5=E2=92=B6 ng0
4096R/13212A27975AF07677A29F7002A296150C201823

--b5gNqxB1S1yM7hjW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXUs1bAAoJEAKilhUMIBgj7OgP/3/o5pRZA+o/IixERZnZLCVF
YJNRYrqGo05myJSjF1SudwJ5F2WIQLnBwkiwet7d5dTRkFseDdbcWsLyW3c58ccC
laLzau1J4rCo3DlN+SqEnShQeSpLu2SnJ2IGT8hJeUh7SvveIbisSj4Wk43a6Zo1
GCplzRfyNEm09ZHJ1D+x6LxfjTex5C1/GYIN2T7rz6DhPWUZWr742TMdoXwrfChO
BI/IEANtcVFWdl68yHYnosC6X6PlgN8O/01cSXrcl9XPWNiglmkx3q4EnIjC09+9
ksfGx2DmE+Dse7L2aR8EXTwnHjGk9tzY+F2C0n2TBjckSfmYEDRocTUC4nbXr/LF
IBXPjytayHV4TVTqBiZ7YOgblQ119AoLo/XpGsa7vh7IAl3iUHryE6B2/ZoPiOVo
vb41mitZyIeuaG0k3/7r7/+2JcjDgJHo8ECd/lMz905/2IUGNZL8cWqUjFK4D5ae
ei2KFL03sYWGqa8NZPiElLxLXa7SSpRqWdv6+ATbwGADJj/TA1QT1uhpZQuY9WIV
j87blo+k+D1/xV6TZXcH8LejURXhGjMc9KC+Gvw8GTIJQ4SWECqmgwOJhcgCCcGc
JpK3dprHt+z4FUZ/9gi/5wMd+BAa2o+laZnQv8PW7+NAfVhu0ywCh4MePoJfSWvI
I5MfTXZmqaitWeI6HDh/
=rE0l
-----END PGP SIGNATURE-----

--b5gNqxB1S1yM7hjW--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 4 Jun 2016 16:24:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 04 12:24:13 2016
Received: from localhost ([127.0.0.1]:54553 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9EMv-0007Df-II
	for submit <at> debbugs.gnu.org; Sat, 04 Jun 2016 12:24:13 -0400
Received: from eggs.gnu.org ([208.118.235.92]:44245)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mtg@HIDDEN>) id 1b9EMt-0007DQ-Jn
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 12:24:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mtg@HIDDEN>) id 1b9EMn-00018g-LT
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 12:24:06 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:40691)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@HIDDEN>)
 id 1b9EMY-000131-QT; Sat, 04 Jun 2016 12:23:50 -0400
Received: from localhost ([::1]:46505 helo=mikegerwitz-pc.gerwitz.local)
 by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <mtg@HIDDEN>)
 id 1b9EMX-0000SY-3g; Sat, 04 Jun 2016 12:23:49 -0400
From: Mike Gerwitz <mtg@HIDDEN>
To: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Authenticating a Git checkout
In-Reply-To: <87wpm519um.fsf@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Sat, 04 Jun 2016 13:17:53 +0200")
Date: Sat, 04 Jun 2016 12:14:03 -0400
Message-ID: <87vb1pue2c.fsf@HIDDEN>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87bn3hwpgo.fsf@HIDDEN>
 <87wpm519um.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha1; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Christopher Allan Webber <cwebber@HIDDEN>,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Sat, Jun 04, 2016 at 13:17:53 +0200, Ludovic Court=C3=A8s wrote:
> We have incomplete libgcrypt bindings:
>
>   http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm
>
> This is used for the authentication of substitutes:
>
>   https://www.gnu.org/software/guix/manual/html_node/Substitutes.html

Oh, excellent; I'm not sure if I would have come across that.  I should
poke around Guix a bit more and see all the goodies that everyone has
created.

Thanks.

=2D-=20
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXUv5MAAoJEPIruBWO4w6rKHIQAIasJhaGNrc+qyll1XP2wgeI
Ljexdx8A88mGZFCc+NZR5WOJPbyOTp8bVXTHjpDHPDPy+ngPzY83+dyZ7CyX/rfN
Bmmxb0zszasibkdt3yxp+yzxe/lnZsy7913jHTS7KDz3VQIHU8nBBNPd+uzbRsrO
IE3QFkybnmr8EfqRrdLhAkVdOA4OAs0ZKZCFotsGZs2SxmONq4O1JYfLDtH166PA
YHcQ5J+j8Am2Zs/Pzw1Q+FSdsLO99T5ky58YIHfZWUazlYAEnmS/3HyxrnKe0YTt
m1VsktRpg3ceuA4GR1/ltUBxZs81fPLNf9GkRM//N4xRv/+d1MSubOxN9F2VUC4D
LbkhkGK8hcCvWltPU7v3/m23ISDelAJXiBoH16ExicK9wyl7VTDS88LUY/x/OmGI
KU/Qs2+VRM5VRpYsPwRdXGUHTL3vT/NtXBGt66jYxAiAaWppDKJrahVr80rMX1yg
1P4UaiV2+2S58MUAA2M1WDLzFk56nfwEqHl/8rZ6GwKCUG9rYftdqPrJcUPtgvho
oCw5Ggg69ILn3mSvDrvjResH7iGOnDDm7KK2mhXCugtS+TJYTIpGrIlbA7yqCN7k
nzvz326KrWcNOJdKZ3dUO2USn5TuZQEHfWWTtaFVCrk3gSGY+cCWw7EDE426xsp2
KFeImHipjgzRW2yoq+YS
=OB+w
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 4 Jun 2016 16:21:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 04 12:21:30 2016
Received: from localhost ([127.0.0.1]:54545 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b9EKH-000797-UK
	for submit <at> debbugs.gnu.org; Sat, 04 Jun 2016 12:21:30 -0400
Received: from kerckhoffs.g10code.com ([217.69.77.222]:33625)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <wk@HIDDEN>) id 1b9EKF-00078x-Pv
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 12:21:28 -0400
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2
 (Debian)) id 1b9EKD-0004M5-Hm
 for <22883 <at> debbugs.gnu.org>; Sat, 04 Jun 2016 18:21:25 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian))
 id 1b9EIX-0002Vi-LP; Sat, 04 Jun 2016 18:19:41 +0200
From: Werner Koch <wk@HIDDEN>
To: 22883 <at> debbugs.gnu.org
Subject: Re: bug#22883: Trustable "guix pull"
In-reply-to: 87bn3iz1xc.fsf_-_@HIDDEN
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read!
 Please send only plain text.
OpenPGP: url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367
Date: Sat, 04 Jun 2016 18:19:31 +0200
Message-ID: <87fustj59o.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU";
 micalg=pgp-sha1; protocol="application/pgp-signature"
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 22883
Cc: Justus Winter <justus@HIDDEN>, neal@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

--=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU
Content-Transfer-Encoding: quoted-printable

Hi,

Ludo' asked us to send some comments on how to verify git commits.  I
only had time to quickly browse the mail thread.

I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread
moved to name gpg2 gpg) because we once wrote it for Debian.  It has the
simplest semantics and thus best fits your purpose.  We use it in GnuPG
itself for the speedo build system; it is sufficent to run this simple
script:

=2D-8<---------------cut here---------------start------------->8---
  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
    echo "list of software versions is not valid!" >&2
    exit 1
  fi
=2D-8<---------------cut here---------------end--------------->8---

In all other context I would suggest the use of GPGME to verify
signatures, because GPGME also evaluates the trust and all the status
line gpg spits out.

There are no issues with l10n because _all_ scripts SHOULD use gpg with
the options --status-fd and --with-colons.  That output creates a well
defined API and we try very hard never to break it.

Mike Gerwitz's article is a bit long read right now.  I have never
looked into git to check whether git correctly calls gpg to verify
signatures.  That should eventually be done.  And yes, please sign your
commits (I use an Ed25519 key stored on a Gnuk token; which works very
well).


Shalom-Salam,

   Werner


=2D-=20
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */

--=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAldS/5MACgkQTwVA1Xf5X5UTbwCcDeNN2/ePPwpepQAntqID3Xgd
Mg4An2pyS784pTkPxV1e6WwrXkb0TOWr
=24e4
-----END PGP SIGNATURE-----
--=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU--





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 4 Jun 2016 11:18:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 04 07:18:25 2016
Received: from localhost ([127.0.0.1]:53781 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b99ay-000090-Ld
	for submit <at> debbugs.gnu.org; Sat, 04 Jun 2016 07:18:24 -0400
Received: from eggs.gnu.org ([208.118.235.92]:51670)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1b99aw-00008m-Jk
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 07:18:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1b99ap-0006IK-PQ
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 07:18:17 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:37380)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1b99aX-0006HD-JU; Sat, 04 Jun 2016 07:17:57 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:46078 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1b99aV-0001bE-4p; Sat, 04 Jun 2016 07:17:55 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Mike Gerwitz <mtg@HIDDEN>
Subject: Re: Authenticating a Git checkout
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <87bn3hwpgo.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 17 Prairial an 224 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Sat, 04 Jun 2016 13:17:53 +0200
In-Reply-To: <87bn3hwpgo.fsf@HIDDEN> (Mike Gerwitz's message of "Sat, 04 Jun
 2016 00:24:55 -0400")
Message-ID: <87wpm519um.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Christopher Allan Webber <cwebber@HIDDEN>,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

Hi!

Mike Gerwitz <mtg@HIDDEN> skribis:

> On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Court=C3=A8s wrote:
>> First, =E2=80=98git pull=E2=80=99 doesn=E2=80=99t do it for you, you hav=
e to pass =E2=80=98--verify=E2=80=99 and
>> there=E2=80=99s no way to set it globally.
>
> That's unfortunate.  Does your checkout scenario include a fresh clone?
> If so, a pull flag wouldn't help there.
>
> Leo mentioned a patch; I don't think that'd be too difficult (looking at
> other config options in builtin/pull.c), and would be a great idea.  It
> appears to pass it off to merge.c; that might be a useful area to verify
> signatures as well (pull being a fetch && merge/rebase), in a general
> sense.

Yeah, it wouldn=E2=80=99t be too hard to add to Git proper, I think, but we
can even live without it initially.

>> Second, even if it did, it would be a shallow check: as Mike notes in
>> <https://mikegerwitz.com/papers/git-horror-story> with the =E2=80=98sign=
chk=E2=80=99
>> script, you actually have to traverse the whole commit history and
>> authenticate them one by one.  But that=E2=80=99s OK, it runs in presuma=
bly less
>> than a minute on a repo the size of Guix=E2=80=99s, and we could also st=
op at
>> signed tags to avoid redundant checks.
>
> Practically speaking, that's probably fine, though note that a signed
> tag is just a signed hash of the commit it points to (with some
> metadata), so you're trusting the integrity of SHA-1 and nothing
> more.
>
> With that said, the tag points to what will hopefully be a signed
> commit, so if you verify the signature of the tag _and_ that commit,
> that'd be even better.  Git's use of SHA-1 makes cryptographic
> assurances difficult/awkward.
>
> An occasional traversal of the entire DAG by, say, a CI script would
> provide some pretty good confidence.  I wouldn't say it's necessary for
> every pull.

Agreed.

>> Third, as I wrote before=C2=B9, relying on the OpenPGP web of trust to
>> determine whether a commit is =E2=80=9Cvalid=E2=80=9D is inappropriate: =
what we want to
>> know is whether a commit was made by an authorized person, not whether
>> it was made by someone who happens to have an OpenPGP key directly or
>> indirectly certified.
>
> If you want to keep with the convenience of the web of trust, then you
> can have a keyring trusting only the appropriate Guix
> hackers.  Otherwise, I agree.

Oh right, we could do something like:

  gpgv --keyring guix-developers.keyring foo

(I realize GSRC uses this idiom already when authenticating source
tarballs:
<http://bzr.savannah.gnu.org/lh/gsrc/trunk/annotate/head:/gar.lib.mk#L217>.)

>> Fourth, there=E2=80=99s inversion of control: =E2=80=98git log=E2=80=99 =
& co. call out to =E2=80=98gpg=E2=80=99,
>> so if we want to do something different than just =E2=80=98gpg --verify=
=E2=80=99, we
>> have to put some other =E2=80=98gpg=E2=80=99 script in $PATH.  Blech.
>
> What types of things are you considering?

Something as simple as this:

--8<---------------cut here---------------start------------->8---
$ git config gpg.program 'gpgv --keyring /dev/null'
$ git verify-commit HEAD
error: cannot run gpgv --keyring /dev/null: No such file or directory
error: could not run gpg.
--8<---------------cut here---------------end--------------->8---

:-/

>> Seventh, even if it did, what would we do with the raw ASCII-armored
>> OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we=E2=80=
=99d
>> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library
>> in Bigloo?)?!
>
> What about gpgme/libgcrypt?[*]

I believe, but haven=E2=80=99t checked carefully, that GPGME is too high-le=
vel;
libgcrypt is too low-level (it does not implement OpenPGP.)

> [*]: I was actually considering writing an FFI for libgcrypt (if it
> doesn't exist already), but it made me uncomfortable without studying
> whether Guile can make assurances that pointer-referenced data in
> "secure" memory will never be copied anywhere else.  I was going to
> bring it up in the near future on the guile mailing list after I did
> some research myself; no need to derail the discussion here.

We have incomplete libgcrypt bindings:

  http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm

This is used for the authentication of substitutes:

  https://www.gnu.org/software/guix/manual/html_node/Substitutes.html

Thanks for your feedback!

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 4 Jun 2016 11:04:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 04 07:04:26 2016
Received: from localhost ([127.0.0.1]:53773 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b99NS-0008G9-3e
	for submit <at> debbugs.gnu.org; Sat, 04 Jun 2016 07:04:26 -0400
Received: from eggs.gnu.org ([208.118.235.92]:49901)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1b99NQ-0008Fu-Cb
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 07:04:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1b99NK-0003I4-3L
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 07:04:19 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:37269)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1b99NC-0003C2-VS; Sat, 04 Jun 2016 07:04:11 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:45854 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1b99NA-00056p-Gp; Sat, 04 Jun 2016 07:04:09 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Leo Famulari <leo@HIDDEN>
Subject: Re: Authenticating a Git checkout
In-Reply-To: <20160603201717.GB32008@jasmine> (Leo Famulari's message of "Fri, 
 3 Jun 2016 16:17:17 -0400")
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN> <20160603201717.GB32008@jasmine>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 17 Prairial an 224 de la =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Sat, 04 Jun 2016 13:04:05 +0200
Message-ID: <87inxp2p22.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Mike Gerwitz <mtg@HIDDEN>,
 Christopher Allan Webber <cwebber@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

Leo Famulari <leo@HIDDEN> skribis:

> On Fri, Jun 03, 2016 at 06:12:47PM +0200, Ludovic Court=C3=A8s wrote:
>> Hello!
>>=20
>> So we sign Git commits, and now we want to authenticate Git checkouts.
>> There=E2=80=99s a series of bad news.
>>=20
>> First, =E2=80=98git pull=E2=80=99 doesn=E2=80=99t do it for you, you hav=
e to pass =E2=80=98--verify=E2=80=99 and
>> there=E2=80=99s no way to set it globally.
>
> Since Git already has the git-verify-commit tool, I bet we could
> convince the Git project to implement this as a repo configuration
> option. Even better if we brought a patch :)

Sure.  :-)

>> Third, as I wrote before=C2=B9, relying on the OpenPGP web of trust to
>> determine whether a commit is =E2=80=9Cvalid=E2=80=9D is inappropriate: =
what we want to
>> know is whether a commit was made by an authorized person, not whether
>> it was made by someone who happens to have an OpenPGP key directly or
>> indirectly certified.  IOW, we want to know whether the key used to sign
>> the commit is among the authorized developer keys.
>
> So, we need some sort of Guix keyring system, right? We'd have to verify
> that a signature was made with an authorized key, and then validate the
> signature itself? Now it's getting complicated...

Fundamentally, it=E2=80=99s very simple.  It=E2=80=99s just that OpenPGP is=
 not designed
to do this, and GPG doesn=E2=80=99t help with such uses.

>> Fourth, there=E2=80=99s inversion of control: =E2=80=98git log=E2=80=99 =
& co. call out to =E2=80=98gpg=E2=80=99,
>> so if we want to do something different than just =E2=80=98gpg --verify=
=E2=80=99, we
>> have to put some other =E2=80=98gpg=E2=80=99 script in $PATH.  Blech.
>>=20
>> Fifth, even if we did that, we=E2=80=99d be stuck parsing the possibly l=
10n=E2=80=99d
>> output of =E2=80=98gpg=E2=80=99.  Pretty fragile.
>
> According to the man pages gpg(1) and gpg2(1), the value "1" is returned
> if a signature check fails, and there are "other error codes for fatal
> errors". If these return values are consistent across GPG versions,
> maybe they provide enough information for us.

The problem is the meaning of a =E2=80=9Csignature failure.=E2=80=9D  We ne=
ed to
distinguish between the cases that appear in =E2=80=98signature-case=E2=80=
=99:

  http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pki.scm#n179

The =E2=80=98gpg=E2=80=99 command hardly helps with that, plus a signature =
is considered
=E2=80=9Cvalid=E2=80=9D if it=E2=80=99s made by someone =E2=80=9Ctrusted=E2=
=80=9D in the sense of the WoT.

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 4 Jun 2016 04:26:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 04 00:26:17 2016
Received: from localhost ([127.0.0.1]:53644 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b93A9-0006Si-9v
	for submit <at> debbugs.gnu.org; Sat, 04 Jun 2016 00:26:17 -0400
Received: from eggs.gnu.org ([208.118.235.92]:55930)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mtg@HIDDEN>) id 1b93A5-0006SS-8J
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 00:26:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mtg@HIDDEN>) id 1b939y-0007pO-M9
 for 22883 <at> debbugs.gnu.org; Sat, 04 Jun 2016 00:26:08 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:34301)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@HIDDEN>)
 id 1b939e-0007ng-QG; Sat, 04 Jun 2016 00:25:46 -0400
Received: from localhost ([::1]:40115 helo=mikegerwitz-pc.gerwitz.local)
 by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <mtg@HIDDEN>)
 id 1b939e-0007ZP-3w; Sat, 04 Jun 2016 00:25:46 -0400
From: Mike Gerwitz <mtg@HIDDEN>
To: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: Authenticating a Git checkout
In-Reply-To: <87bn3iz1xc.fsf_-_@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\?\=
 \=\?utf-8\?Q\?\=22's\?\= message of "Fri,
 03 Jun 2016 18:12:47 +0200")
Date: Sat, 04 Jun 2016 00:24:55 -0400
Message-ID: <87bn3hwpgo.fsf@HIDDEN>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha1; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Christopher Allan Webber <cwebber@HIDDEN>,
 Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ludo:

On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Court=C3=A8s wrote:
> First, =E2=80=98git pull=E2=80=99 doesn=E2=80=99t do it for you, you have=
 to pass =E2=80=98--verify=E2=80=99 and
> there=E2=80=99s no way to set it globally.

That's unfortunate.  Does your checkout scenario include a fresh clone?
If so, a pull flag wouldn't help there.

Leo mentioned a patch; I don't think that'd be too difficult (looking at
other config options in builtin/pull.c), and would be a great idea.  It
appears to pass it off to merge.c; that might be a useful area to verify
signatures as well (pull being a fetch && merge/rebase), in a general
sense.

> Second, even if it did, it would be a shallow check: as Mike notes in
> <https://mikegerwitz.com/papers/git-horror-story> with the =E2=80=98signc=
hk=E2=80=99
> script, you actually have to traverse the whole commit history and
> authenticate them one by one.  But that=E2=80=99s OK, it runs in presumab=
ly less
> than a minute on a repo the size of Guix=E2=80=99s, and we could also sto=
p at
> signed tags to avoid redundant checks.

Practically speaking, that's probably fine, though note that a signed
tag is just a signed hash of the commit it points to (with some
metadata), so you're trusting the integrity of SHA-1 and nothing
more.

With that said, the tag points to what will hopefully be a signed
commit, so if you verify the signature of the tag _and_ that commit,
that'd be even better.  Git's use of SHA-1 makes cryptographic
assurances difficult/awkward.

An occasional traversal of the entire DAG by, say, a CI script would
provide some pretty good confidence.  I wouldn't say it's necessary for
every pull.

> Third, as I wrote before=C2=B9, relying on the OpenPGP web of trust to
> determine whether a commit is =E2=80=9Cvalid=E2=80=9D is inappropriate: w=
hat we want to
> know is whether a commit was made by an authorized person, not whether
> it was made by someone who happens to have an OpenPGP key directly or
> indirectly certified.

If you want to keep with the convenience of the web of trust, then you
can have a keyring trusting only the appropriate Guix
hackers.  Otherwise, I agree.

> Fourth, there=E2=80=99s inversion of control: =E2=80=98git log=E2=80=99 &=
 co. call out to =E2=80=98gpg=E2=80=99,
> so if we want to do something different than just =E2=80=98gpg --verify=
=E2=80=99, we
> have to put some other =E2=80=98gpg=E2=80=99 script in $PATH.  Blech.

What types of things are you considering?  Or are you just considering
the possibility?

I agree that it is awkward.  At the same time, making it configurable
(in the git sense) can potentially be very dangerous, because a
malicious script (e.g. configure) could just modify it to a noop
(e.g. `true`) and circumvent signature checks.

> Fifth, even if we did that, we=E2=80=99d be stuck parsing the possibly l1=
0n=E2=80=99d
> output of =E2=80=98gpg=E2=80=99.  Pretty fragile.

In the log output?  You could use --pretty and %G*.  Otherwise, yes
parsing GPG's output seems dangerous; surely there's a better way (like
Leo mentioned).

> Well no, it turns out that libgit2=C2=B3 has no support for signed commits
> (the =E2=80=98signature=E2=80=99 abstraction there has nothing to do with=
 OpenPGP
> signatures.)

!? D:

That's more concerning from a community mindset standpoint than anything.

> Seventh, even if it did, what would we do with the raw ASCII-armored
> OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we=E2=80=
=99d
> need to implement OpenPGP (in Guile, maybe based on the OpenPGP library
> in Bigloo?)?!

What about gpgme/libgcrypt?[*]

> I stumbled upon git-lockup=E2=81=B4, which uses something other than Open=
PGP to
> sign objects in Git.  However, signatures are not stored in commits but
> rather in =E2=80=9Cgit notes=E2=80=9D, which, IIUC, are mutable objects d=
etached from
> the rest of the object store, so not great.

It seems a bit over-complicated.  Without reading much into it, it
doesn't strike me as much different than a detached signature, but the
problem is that the signature (as you implied) can just be
deleted.  Git's commit/tag signatures are embedded in the actual
object.  git-lockup also seems to hash "(branch,commitid) pairs", which
signs considerably less data than Git's signature would (unless it
actually signs the full object, not a string referencing it).


I'll have to read over your first reference (your message) and its
references; now I'm curious.


[*]: I was actually considering writing an FFI for libgcrypt (if it
doesn't exist already), but it made me uncomfortable without studying
whether Guile can make assurances that pointer-referenced data in
"secure" memory will never be copied anywhere else.  I was going to
bring it up in the near future on the guile mailing list after I did
some research myself; no need to derail the discussion here.

=2D-=20
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXUlgYAAoJEPIruBWO4w6rCAEP/i96imcaecdY2WZmOK8xUrfx
lasLlfR0pEFNzvHNBH+jbPgiaSSRv8NuA9G8FMbD6QWjjnpxx0lK414Acyu3qcaR
KVNtpCvQnQQ3BVYyMHjlwdlkhLs8ZpqgnNirdX60jQ6xKEn3x6A/hVa/N1s0dgLv
NL0+ep3ngIglxFGDT5/h3YJPGnUCW69EN8c4wiHP6HgzymhtwVjgxFCp11GF3EKX
K5JfdxR3Yv+oifqST1YBRNRiav8aJ4NxrNxUFvSh2wLZrXw2eo6soKhgliqZnthS
A09gI1aF+BCUp9uCxPzKfsP60wJRnNj0/q2qyZh5geNIBf13rLnH8TiZiROAgFkM
mIlqAvv1p+OwolqFCZQeYkYZdbVgAOBX3uuPoCF1ehmw+hsnXahO+pPfm0y6mfI/
xeA5dDMF9tgOdQdRtGnG99umxYoeFHGZC8buxKHQX0ibB/7VW1WVbl1KH94wGQbf
Nw5DqMWArL6NYLGVr0+TyTu9KElgL6WHiKl1/21wF/8G1hANcfmrfmBxnrXBGlr8
i1HRlHu0obZZb97r50rS/kqgEwo61T2KOCF0LumwCXVTfudvCaLUSgvvGAr2LIvj
3/4Y296Rgo1I8OmbSZIWP9+9sd7ac6aoSVGSvUMxnTIUE4R+lCIi9wKoEtjEz8ae
gQTIM6ah1W4dZtGNwyIC
=v3dl
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 3 Jun 2016 20:17:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jun 03 16:17:20 2016
Received: from localhost ([127.0.0.1]:53506 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b8vWy-0001t1-Hc
	for submit <at> debbugs.gnu.org; Fri, 03 Jun 2016 16:17:20 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:44042)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1b8vWw-0001st-MF
 for 22883 <at> debbugs.gnu.org; Fri, 03 Jun 2016 16:17:19 -0400
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 6DC302202A;
 Fri,  3 Jun 2016 16:17:18 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute7.internal (MEProxy); Fri, 03 Jun 2016 16:17:18 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 cc:content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=80/Z0WzwnmvYJ1H/kQnncVLn8PE=; b=gTFI/c
 qUakZD7uktDZYjPXkoQfeisUEmgjodRtZSlSABI/t/fki4hStBi/p4e62AwlhDCG
 JQDSXBQ7vUeDQrgqwzXqPXAeVHt72KEaGjtZ2f/xX7oQRYubNmuvulZ2Ppv8xJNF
 QjF30oMKiuS/INRwiAQsMp807NP1F43GxljJg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=80/Z0WzwnmvYJ1H
 /kQnncVLn8PE=; b=gLwK+VDh3ognP9RJ3+sO1dzWYWT2r+ii1EXeQs58OpHGtK6
 Z+xnxjMj8ZGp8ywZcVHVatZaqF3uxITNAkheIFDNBh9KKjAOaDJGGH1duklkTxMs
 u8Zp6TonEi/FJss9aNt0U2VZzZ+KgxMn8QM2xDExxpk0UPTg6JsXAmag/N0k=
X-Sasl-enc: iEYGC+JHHk8oCExQFdrxDl3FZGAsIj4op6hNcv9ACpXO 1464985038
Received: from localhost (c-68-81-58-201.hsd1.pa.comcast.net [68.81.58.201])
 by mail.messagingengine.com (Postfix) with ESMTPA id 190B0CCD3B;
 Fri,  3 Jun 2016 16:17:18 -0400 (EDT)
Date: Fri, 3 Jun 2016 16:17:17 -0400
From: Leo Famulari <leo@HIDDEN>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>
Subject: Re: Authenticating a Git checkout
Message-ID: <20160603201717.GB32008@jasmine>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
 <87bn3iz1xc.fsf_-_@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87bn3iz1xc.fsf_-_@HIDDEN>
User-Agent: Mutt/1.6.0 (2016-04-01)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Mike Gerwitz <mtg@HIDDEN>,
 Christopher Allan Webber <cwebber@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Fri, Jun 03, 2016 at 06:12:47PM +0200, Ludovic Courtès wrote:
> Hello!
> 
> So we sign Git commits, and now we want to authenticate Git checkouts.
> There’s a series of bad news.
> 
> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and
> there’s no way to set it globally.

Since Git already has the git-verify-commit tool, I bet we could
convince the Git project to implement this as a repo configuration
option. Even better if we brought a patch :)

> Second, even if it did, it would be a shallow check: as Mike notes in
> <https://mikegerwitz.com/papers/git-horror-story> with the ‘signchk’
> script, you actually have to traverse the whole commit history and
> authenticate them one by one.  But that’s OK, it runs in presumably less
> than a minute on a repo the size of Guix’s, and we could also stop at
> signed tags to avoid redundant checks.

That doesn't sound so bad.

> Third, as I wrote before¹, relying on the OpenPGP web of trust to
> determine whether a commit is “valid” is inappropriate: what we want to
> know is whether a commit was made by an authorized person, not whether
> it was made by someone who happens to have an OpenPGP key directly or
> indirectly certified.  IOW, we want to know whether the key used to sign
> the commit is among the authorized developer keys.

So, we need some sort of Guix keyring system, right? We'd have to verify
that a signature was made with an authorized key, and then validate the
signature itself? Now it's getting complicated...

> Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’,
> so if we want to do something different than just ‘gpg --verify’, we
> have to put some other ‘gpg’ script in $PATH.  Blech.
> 
> Fifth, even if we did that, we’d be stuck parsing the possibly l10n’d
> output of ‘gpg’.  Pretty fragile.

According to the man pages gpg(1) and gpg2(1), the value "1" is returned
if a signature check fails, and there are "other error codes for fatal
errors". If these return values are consistent across GPG versions,
maybe they provide enough information for us.

Return values are a lot easier to parse than stdout / stderr, in my
experience.

If we want to go down this path, we should figure out what we'd want to
do with GPG besides `gpg --verify`.

> Sixth, OK, we’ll use libgit2, and write Guile bindings, maybe based on
> the CHICKEN bindings², easy!  Well no, it turns out that libgit2³ has no
> support for signed commits (the ‘signature’ abstraction there has
> nothing to do with OpenPGP signatures.)

That's too bad.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 3 Jun 2016 16:13:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jun 03 12:13:30 2016
Received: from localhost ([127.0.0.1]:53432 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b8riz-0001Gc-Lx
	for submit <at> debbugs.gnu.org; Fri, 03 Jun 2016 12:13:29 -0400
Received: from eggs.gnu.org ([208.118.235.92]:59969)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1b8rix-0001GA-Gk
 for 22883 <at> debbugs.gnu.org; Fri, 03 Jun 2016 12:13:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1b8rio-0005id-9W
 for 22883 <at> debbugs.gnu.org; Fri, 03 Jun 2016 12:13:22 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:54897)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1b8riW-0005Xr-B4; Fri, 03 Jun 2016 12:13:00 -0400
Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:36784 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1b8riU-00073C-Ak; Fri, 03 Jun 2016 12:12:58 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: 22883 <at> debbugs.gnu.org,
Subject: Authenticating a Git checkout
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@HIDDEN>
Date: Fri, 03 Jun 2016 18:12:47 +0200
In-Reply-To: <874majg0z8.fsf@HIDDEN> (Mike Gerwitz's message of "Sat, 30 Apr
 2016 00:43:55 -0400")
Message-ID: <87bn3iz1xc.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: Christopher Allan Webber <cwebber@HIDDEN>,
 Mike Gerwitz <mtg@HIDDEN>, Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

So we sign Git commits, and now we want to authenticate Git checkouts.
There=E2=80=99s a series of bad news.

First, =E2=80=98git pull=E2=80=99 doesn=E2=80=99t do it for you, you have t=
o pass =E2=80=98--verify=E2=80=99 and
there=E2=80=99s no way to set it globally.

Second, even if it did, it would be a shallow check: as Mike notes in
<https://mikegerwitz.com/papers/git-horror-story> with the =E2=80=98signchk=
=E2=80=99
script, you actually have to traverse the whole commit history and
authenticate them one by one.  But that=E2=80=99s OK, it runs in presumably=
 less
than a minute on a repo the size of Guix=E2=80=99s, and we could also stop =
at
signed tags to avoid redundant checks.

Third, as I wrote before=C2=B9, relying on the OpenPGP web of trust to
determine whether a commit is =E2=80=9Cvalid=E2=80=9D is inappropriate: wha=
t we want to
know is whether a commit was made by an authorized person, not whether
it was made by someone who happens to have an OpenPGP key directly or
indirectly certified.  IOW, we want to know whether the key used to sign
the commit is among the authorized developer keys.

Fourth, there=E2=80=99s inversion of control: =E2=80=98git log=E2=80=99 & c=
o. call out to =E2=80=98gpg=E2=80=99,
so if we want to do something different than just =E2=80=98gpg --verify=E2=
=80=99, we
have to put some other =E2=80=98gpg=E2=80=99 script in $PATH.  Blech.

Fifth, even if we did that, we=E2=80=99d be stuck parsing the possibly l10n=
=E2=80=99d
output of =E2=80=98gpg=E2=80=99.  Pretty fragile.

Sixth, OK, we=E2=80=99ll use libgit2, and write Guile bindings, maybe based=
 on
the CHICKEN bindings=C2=B2, easy!  Well no, it turns out that libgit2=C2=B3=
 has no
support for signed commits (the =E2=80=98signature=E2=80=99 abstraction the=
re has
nothing to do with OpenPGP signatures.)

Seventh, even if it did, what would we do with the raw ASCII-armored
OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we=E2=80=99d
need to implement OpenPGP (in Guile, maybe based on the OpenPGP library
in Bigloo?)?!


I hope I=E2=80=99m just being negative and I missed an obvious solution or =
made
wrong hypotheses.  Please tell me!  :-)


I stumbled upon git-lockup=E2=81=B4, which uses something other than OpenPG=
P to
sign objects in Git.  However, signatures are not stored in commits but
rather in =E2=80=9Cgit notes=E2=80=9D, which, IIUC, are mutable objects det=
ached from
the rest of the object store, so not great.

Cheers,
Ludo=E2=80=99.

=C2=B9 http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D22883#40
=C2=B2 http://wiki.call-cc.org/eggref/4/git
=C2=B3 https://libgit2.github.com/libgit2/
=E2=81=B4 https://github.com/warner/git-lockup

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXUayHAAoJEAkLEZk9muu1e14P/j2LKePXrTqc2H9PD9BcDs5P
vu2edfTBqTJLwfi4M02UTt8nsYmK7uzpREA6W2+EI1ZkUeKVtlW5uOmZ4CrDwvEg
Yu9p/FqHR/YGznzLkwk5E1cba6kvEq3kHq6vrn/Yy7OkwGak119wnUaad9WPsPYu
TTcVQJBM6vIWHE7kESMG3O5nuc5U7MfuBrnV2D0PsNF8bDRmL8pSO3y5IWtBOOiT
x8f/mi62kz/UlGOfewnRrlgKWN+87uwZ6/PldypDLjrKAVoh1h3ErdHNvzgXB3eH
bcxXn4Uog6FF/3dcJFRPvngCt+kOQatT2L7VwsfB8Ou9TEaTqR2psNLPR3+HzKtU
sJ9ZNtk5sMQIQ8pw2l92/LV/b9smr3TpW9+SSNMO/GRHzudqsSpwI197d0YQIYtj
Y8YBk/FP90D7QHjNCOPdAGIuO1LQf8wRunZIV7ninXu1OlXcnPYkJaC9Z/EEWMhj
Ol43bz7vneMr7DVrx9HMhyd399rbTDQ6h6VDMjamW0728FCwAd/RHge/Eh+WR5Mq
4xXgq7ANyD3UblxUQSzw1usWtADfLFABvM5M/XUANDCypmu6VTj5qYkwIZ1OaRKp
1jvt3IOgHsXQsSiN7zTPIShrVdsVfS3zej4tSr8wPflucLFVcUVd83SUqoYNsmvG
SwqdpkzrOybIUMO4Hjht
=besN
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 1 Jun 2016 16:47:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jun 01 12:47:32 2016
Received: from localhost ([127.0.0.1]:50076 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b89Il-0006vt-GI
	for submit <at> debbugs.gnu.org; Wed, 01 Jun 2016 12:47:32 -0400
Received: from eggs.gnu.org ([208.118.235.92]:35466)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1b89Ij-0006vg-V0
 for 22883 <at> debbugs.gnu.org; Wed, 01 Jun 2016 12:47:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1b89Ia-00019o-WF
 for 22883 <at> debbugs.gnu.org; Wed, 01 Jun 2016 12:47:20 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45429)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1b89Ia-00019J-Sf
 for 22883 <at> debbugs.gnu.org; Wed, 01 Jun 2016 12:47:16 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:42112 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1b89IY-0008Ph-HS
 for 22883 <at> debbugs.gnu.org; Wed, 01 Jun 2016 12:47:15 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: 22883 <at> debbugs.gnu.org
Subject: Discussion of TUF in the context of Git checkout authentication
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
Date: Wed, 01 Jun 2016 18:47:06 +0200
In-Reply-To: <87h9ep8gxk.fsf@HIDDEN> ("Ludovic
 \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
 \=\?utf-8\?Q\?s\?\= message of "Tue, 26 Apr 2016 00:25:11 +0200")
Message-ID: <87a8j4hn5h.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

Here are some (somewhat unstructured!) thoughts about what it means to
deliver secure updates to Guix users, and how The Update Framework (TUF)
and related ideas can help us.

To summarize, the problem we=E2=80=99re trying to solve is the =E2=80=9Csec=
ure=E2=80=9D update
of Git checkouts.  That=E2=80=99s because Guix is a set of recipes and code=
 that
is delivered to users/developers using Git.

More specifically, we share most of the security goals listed in
Sections 1.5.2 and 1.5.3 of the TUF spec=C2=B9.

TUF is biased towards repositories of binary packages and associated
meta-data, whereas we=E2=80=99re (1) using Git, and (2) concerned with sour=
ce
code authentication.  Thus, some of the goals in 1.5.2 are not
applicable, as we will see, and some of the roles in 2.1 are not
applicable either.

The OPAM folks came up with a variant of TUF=C2=B2 that takes advantage of
the fact that the OPAM package repository is in a Git repo=C2=B3 (this desi=
gn
is not currently used by opam-repository, AFAICS).  Their scheme uses
detached signature files for package meta-data instead of signed
commits; thus, it is not concerned with Git checkout authentication in
general, but with the authentication of individual files in the repo
(see the discussion of =E2=80=9Ctarget files=E2=80=9D below).  Yet, there a=
re good ideas
applicable to our Git repo, such as the =E2=80=98signed=E2=80=99 tag create=
d by a
=E2=80=9Csignature bot=E2=80=9D and that clients can use to check whether t=
hey get the
latest version of opam-repository.

The Qubes folks have their own process=E2=81=B4, not inspired by TUF.  They=
 push
signed Git tags (instead of signing commits), with roughly one signed
tag every time a bunch of commits is pushed=E2=81=B5.  AIUI, Qubes uses the
OpenPGP web of trust to determine which keys are authorized keys: a key
signed by the Qubes master key is considered authorized.  IMO this is a
misuse of OpenPGP, where a signature on a key is a statement of trust in
(certification of) the key/email and possibly key/name bindings=E2=81=B6, a=
nd
has nothing to do with authorization.

At the very least, it=E2=80=99s clear that:

  1. Guix clients, whether =E2=80=98guix pull=E2=80=99 or =E2=80=98git pull=
=E2=80=99, must be able to
     authenticate the history of their checkout; this is why we started
     signing commits.

  2. We must use a mechanism such as the =E2=80=98signed=E2=80=99 Git tag d=
escribed in
     the OPAM document so that clients can know what the latest Guix
     commit is.

  3. We must follow the key management practices developed in TUF.

Let=E2=80=99s go back to the =E2=80=9Cgoals for specific attacks to protect=
 against=E2=80=9D in
Section 1.5.2 of the TUF spec, and see how they apply to the
distribution of Guix=E2=80=99s source tree:

  1. =E2=80=9CRollback attacks.  Attackers should not be able to trick clie=
nts
     into installing software that is older than that which the client
     previously knew to be available.=E2=80=9D

     As explained in the OPAM document, Git gives us linearity
     guarantees (=E2=80=98git pull=E2=80=99 makes sure we move forward), so=
 clients can
     be sure they move forward in Guix history.  We expect clients to
     authenticate the Git history, making sure all the commits are
     signed by authorized Guix committers.

     To perform such an attack, an attacker would need to get access to
     the private key of one of the authorized committers.  We can
     probably consider it beyond the scope of our threat model, because
     at this point, the attacker could do anything (like the 2nd
     paragraph of TUF Section 2.2 suggests) and the version string of
     packages is really a detail.

  2. =E2=80=9CIndefinite freeze attacks.  Attackers should not be able to
     respond to client requests with the same, outdated metadata without
     the client being aware of the problem.=E2=80=9D

  3. =E2=80=9CEndless data attacks=E2=80=9D and =E2=80=9CSlow retrieval att=
acks=E2=80=9D seem to be
     beyond the scope of our interests here; TUF does not seem to
     address them either.

  4. =E2=80=9CExtraneous dependencies attacks.  Attackers should not be abl=
e to
     cause clients to download or install software dependencies that are
     not the intended dependencies.=E2=80=9D

     Not applicable: we=E2=80=99re distributing a Git source tree, not build
     artifacts.

  5. =E2=80=9CMix-and-match attacks.  Attackers should not be able to trick=
 clients into
     using a combination of metadata that never existed together on the
     repository at the same time.=E2=80=9D

     Not applicable, for the same reaons.

  6. =E2=80=9CMalicious repository mirrors should not be able to prevent up=
dates
     from good mirrors.=E2=80=9D

     Clients should check the age of the =E2=80=98signed=E2=80=99 tag, and =
thus detect
     outdated mirrors.

Section 2 of the TUF spec defines the notion of =E2=80=9Ctarget files=E2=80=
=9D and
discusses roles and the PKI.

=E2=80=9CTarget files=E2=80=9D are defined as files distributed by the syst=
em as
commonly found in =E2=80=9Ctraditional=E2=80=9D package repos (e.g., binary=
 packages and
associated meta-data); they are the unit of authenticable data.

In Guix we want to authenticate whole checkouts, so the notion of
=E2=80=9Ctarget file=E2=80=9D seems to make little sense.  For instance, it=
 wouldn=E2=80=99t
make sense to sign each gnu/packages/*.scm file individually, because
the meaning of these files depends not only on the surrounding files,
but also on the core of Guix, such as the (guix packages) module, which
defines the very notion of =E2=80=9Cpackage=E2=80=9D.

The PKI and roles described in TUF, with separate responsibilities and
the ability to delegate, make a lot of sense (it=E2=80=99s similar in spiri=
t to
SPKI=E2=81=B7, but more limited in scope.)  Some of the roles do not seem t=
o be
applicable to secure Git update delivery:

  =E2=80=A2 the =E2=80=9Ctargets=E2=80=9D role is not applicable, at least =
not to individual
    source files;

  =E2=80=A2 the =E2=80=9Csnapshot=E2=80=9D role does not seem applicable (a=
 Git commit *is* a
    complete snapshot); the =E2=80=9Ctimestamp=E2=80=9D role, though, corre=
sponds to the
    signature bot described in the OPAM document;

  =E2=80=A2 the optional =E2=80=9Cmirrors=E2=80=9D role doesn=E2=80=99t see=
m very useful, as
    acknowledged by Section 2.1.5 of the TUF spec.

With that in mind, we now need to see how to map the relevant bits of
TUF to Guix!

Comments welcome!

Ludo=E2=80=99.

=C2=B9 https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec=
.txt
=C2=B2 http://opam.ocaml.org/blog/Signing-the-opam-repository/
=C2=B3 https://github.com/ocaml/opam-repository
=E2=81=B4 https://www.qubes-os.org/doc/verifying-signatures/
=E2=81=B5 See for example all the =E2=80=98mm_XXX=E2=80=99 tags at
 <https://github.com/QubesOS/qubes-core-agent-linux/releases>.
=E2=81=B6 https://tools.ietf.org/html/rfc4880#section-5.2
=E2=81=B7 http://theworld.com/~cme/spki.txt

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXTxGPAAoJEAkLEZk9muu1If0P/iQNEwbEgwGAnYXHM00l/IZA
fBDGe6AFPkbZpFOmr9r1Ww9khVa8ZlRymrvCCm74YX1nuPvU70e4/7QR+8eboQK6
3NieQKdNN9uXdBaup9snkWcVimf7ePuW4x2u0lSAbCKy25oiR/ZZOwGhK1cmiYcH
ZHNv8W8Cai6V45mjlDeOdcdqp9mF0vZ/PgVUaW1EEknSGpyJmkRo2ipdkeuaPdGz
PQfT3T5P5FSvExCryeXGWv5eP/RJdJKqmaK8fvAKO5YZR3xQodH9zCfL9s8NCI9c
Jv0+sJp4Avi3axZFunJPocim7kzWXItk81g3uEgFAWC/cu2+6OOwfm50dB/BAZmw
RFO6rA6hYP2crtrwhDZ8k2SMuQejN0fdCDA2e5aLJSDIOcQ1I0isLI5DeF9e7n5Q
/DKJM8Iz50dtfDJdHRxO2yNE0o28X41YliRGYPX1FqSBadyJAOA4YJ05jMZmhaJt
7DmcW+qt94a7bMwH6B8mfj8VMTt0a7vowCGd3LzjZslTv588SIfHbMLObE4Z13wk
H1JOoIz5OmN41x/FrpQ4W2sRCqdulhbl0hic2pDGWaVsYkDK5PYipTPgISz04dhq
YmqjKddGqY1gkYw7/YgGpNAwqJCMVZndWjsx5lCHcg6nqDTy6yurceDLgVaVdHQV
PKLcerMvIIwaglaylPGj
=PM0h
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 17 May 2016 21:19:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 17 17:19:31 2016
Received: from localhost ([127.0.0.1]:56325 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b2mOo-000137-Rv
	for submit <at> debbugs.gnu.org; Tue, 17 May 2016 17:19:30 -0400
Received: from eggs.gnu.org ([208.118.235.92]:53588)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1b2mOk-00012s-AH
 for 22883 <at> debbugs.gnu.org; Tue, 17 May 2016 17:19:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1b2mOc-0004Xs-31
 for 22883 <at> debbugs.gnu.org; Tue, 17 May 2016 17:19:21 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58277)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1b2mOc-0004Xn-0P; Tue, 17 May 2016 17:19:18 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:48816 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1b2mOb-0005R9-6h; Tue, 17 May 2016 17:19:17 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: fluxboks@HIDDEN
Subject: Re: bug#22883: Trustable "guix pull"
References: <87io14sqoa.fsf@HIDDEN>
 <c9f22542d79aaf0503b68ba70f0ce912@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 29 =?utf-8?Q?Flor=C3=A9al?= an 224 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Tue, 17 May 2016 23:19:15 +0200
In-Reply-To: <c9f22542d79aaf0503b68ba70f0ce912@HIDDEN>
 (fluxboks@HIDDEN's message of "Sun, 15 May 2016 15:40:49
 +0300")
Message-ID: <87oa84v0vg.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.4 (------)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.4 (------)

Hi!

fluxboks@HIDDEN skribis:

> But I presume there must be another reason why there's no https,

HTTPS is not the alpha and omega of security.  At best, it provides
confidentiality and allows users to authenticate the server (some
certificate authorities are corrupt though, so there=E2=80=99s a risk.)

Once you=E2=80=99ve authenticated the server, you still haven=E2=80=99t aut=
henticated
the code, which is what you=E2=80=99re really interested in as a user.

So this is what this issue is about, and I agree it needs to be fixed
ASAP.  Your contributions are very welcome, too!  :-)

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 16 May 2016 17:56:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 16 13:56:06 2016
Received: from localhost ([127.0.0.1]:54212 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b2MkM-0001Au-T5
	for submit <at> debbugs.gnu.org; Mon, 16 May 2016 13:56:06 -0400
Received: from mail-yw0-f182.google.com ([209.85.161.182]:35799)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dthompson2@HIDDEN>) id 1b2MkK-0001AE-JN
 for 22883 <at> debbugs.gnu.org; Mon, 16 May 2016 13:56:00 -0400
Received: by mail-yw0-f182.google.com with SMTP id g133so169392744ywb.2
 for <22883 <at> debbugs.gnu.org>; Mon, 16 May 2016 10:56:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=worcester-edu.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-transfer-encoding;
 bh=dhn5akf/3Rfvzuh64bDqmJ9JuSZTcw7jWqWfsUEhIzs=;
 b=CIwEg06Ab3cVOwY2Vi2+lAL2SOfaosOhKj8JxVtZ5tIE43dS3Rw5A5dM61Z43TsHIr
 sMsXwxYdIJu5ooqf15HJms5ZRJAQmiSCzetJReGFI7o+XmjDx6zY+MuJjgidNZfbjgEC
 LAH1BdDzrcul5oL45dsRuS5RpNzE0Jpznf9XCIXIwvW51KtxA5S/gI0fVuwfEIbQkmhL
 FJqJM3JgZ55ARoRd8Pu/UqSLsJX+3G6rbO/f3TaavJp9ltWTEE2wAhc4dVaSNMRpipqW
 eQmwYrQR6lFmFf9s17a+oKbm3TiiOA/AGnzD5h7cWA2qErQa1jvyWH/GLnixUwCRtdk6
 LvKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-transfer-encoding;
 bh=dhn5akf/3Rfvzuh64bDqmJ9JuSZTcw7jWqWfsUEhIzs=;
 b=Evo5EJcTyiqDgjRtzXKFlG+TPNeOk0meG99V1GLIE8lGWSAocZkt+D4aiW4ENtTNcN
 3l70vlVaK+w50OpG8+UbizoWiCFa0ZVm7XFVcAi4Eha1YTZdxpm/W2900SDiloOm5KFI
 bWFHqscvi9phIPppWCBk0daxAjPMRZH9JqRnhLdFGE50S2EueGFzk7Rwf8r5Af5eOsvd
 /Ukxh//qgDJdTGTVshkQpnnLjhMCD41dtkKhb2ODKGNEvi2PPou9/ll2ghrcDZYYW3UT
 sf5yeNW8Fmn5UwNgrG2ZR30bwWDFfme6PN0fsgUlrsyNEd4XlcobMAe3e7CbvsFOiaEw
 uVxg==
X-Gm-Message-State: AOPr4FWOOzBHKSOJmEEjj3POJBwdNUQoVzKRpXaXTWpmctqf7X6xOyy3HdOrN5lxHJzAKBS6ZS8D2iaSMcdfvifo
MIME-Version: 1.0
X-Received: by 10.129.147.71 with SMTP id k68mr16360671ywg.76.1463421355017;
 Mon, 16 May 2016 10:55:55 -0700 (PDT)
Received: by 10.37.8.5 with HTTP; Mon, 16 May 2016 10:55:54 -0700 (PDT)
In-Reply-To: <c9f22542d79aaf0503b68ba70f0ce912@HIDDEN>
References: <87io14sqoa.fsf@HIDDEN>
 <c9f22542d79aaf0503b68ba70f0ce912@HIDDEN>
Date: Mon, 16 May 2016 13:55:54 -0400
Message-ID: <CAJ=RwfZ+pCHjrGE6hfQe9V5MtmhA5cwB346qA5qxOnA66FvoMg@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
From: "Thompson, David" <dthompson2@HIDDEN>
To: fluxboks@HIDDEN
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

On Sun, May 15, 2016 at 8:40 AM,  <fluxboks@HIDDEN> wrote:
> Please, for the love of all/any gods!(if any)
> Fix this issue :)
> For example, you can get this https to work:
> https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> (it doesn't currently)
>
> $ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> --2016-05-15 15:32:15--
> https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
> Resolving git.savannah.gnu.org... 208.118.235.72
> Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected.
> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown proto=
col
> Unable to establish SSL connection.
>
> Chromium says:
> This site can=E2=80=99t provide a secure connection
>
> git.savannah.gnu.org sent an invalid response.
> Learn more about this problem.
> ERR_SSL_PROTOCOL_ERROR
>
> This works just fine though: https://savannah.gnu.org/ and https://gnu.or=
g/
> and https://www.gnu.org/
>
> As a reminder, letsencrypt and startssl are a thing - both provide free
> certs. If that's the issue.

We *DO NOT* run Savannah, the FSF does.  Savannah absolutely should
allow cloning Git repositories over HTTPS, but we are the wrong people
to complain to about it.  You can send a polite message to
sysadmin@HIDDEN instead.

> I want to be honest here: this bug is a show stopper for me! It makes me
> draw certain unfavorable conclusions about the mentality and seriousness =
of
> the guix project devs. I wish it wouldn't, but really can you blame me?

Yes, I can.  I think you should re-evaluate your conclusions.  All of
our official release tarballs are GPG signed, we have begun signing
all of our commits, all of our package recipes validate checksums for
the source code they download, and we patch CVEs in a pretty timely
manner for a such a small core team.  I can assure you that we are
very serious about security.  I recommend simply not using 'guix pull'
right now until we have something more trustable, which we are working
on!  This is beta software written by volunteers.  The problem will be
solved quicker with some more hands to help.  Would you like to join
in?

- Dave




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 16 May 2016 17:38:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 16 13:38:27 2016
Received: from localhost ([127.0.0.1]:54158 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1b2MTL-0007UO-Bv
	for submit <at> debbugs.gnu.org; Mon, 16 May 2016 13:38:27 -0400
Received: from mail2.openmailbox.org ([62.4.1.33]:60184)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fluxboks@HIDDEN>) id 1b2MT3-0007Tb-Kb
 for 22883 <at> debbugs.gnu.org; Mon, 16 May 2016 13:38:10 -0400
Received: by mail2.openmailbox.org (Postfix, from userid 1001)
 id 188761047DA; Sun, 15 May 2016 14:40:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org;
 s=openmailbox; t=1463316053;
 bh=+53AtbPeSV6at9Z+/0l7Ke3EIGUSh5fV8ANmIOcMXEQ=;
 h=Date:From:To:Subject:From;
 b=TzdadnhZtLzUSrW5ALs70NToClC0u/kfx0YsP7Hu/Res0d5DwYTyz5hLlMgIe+N2o
 dHbWagS0nx60ZOzNe3nXeNXFU4xlDs1yfyJCtgtxTwMGneLRR2w+r1DmS1Mbw5TyO9
 o4wDY5lzYs9mqNnqIV9d9ZroSjQqtqENrvuQ79w8=
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on h4
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED
 autolearn=no autolearn_force=no version=3.4.0
Received: from www.openmailbox.org (unknown [10.91.130.51])
 by mail2.openmailbox.org (Postfix) with ESMTP id 0AD631047FC
 for <22883 <at> debbugs.gnu.org>; Sun, 15 May 2016 14:40:49 +0200 (CEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
Date: Sun, 15 May 2016 15:40:49 +0300
From: fluxboks@HIDDEN
To: 22883 <at> debbugs.gnu.org
Subject: Re: bug#22883: Trustable "guix pull"
Message-ID: <c9f22542d79aaf0503b68ba70f0ce912@HIDDEN>
X-Sender: fluxboks@HIDDEN
User-Agent: Roundcube Webmail/1.0.6
X-Spam-Score: -1.8 (-)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Mon, 16 May 2016 13:38:25 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.8 (-)

Please, for the love of all/any gods!(if any)
Fix this issue :)
For example, you can get this https to work: 
https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
(it doesn't currently)

$ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
--2016-05-15 15:32:15--  
https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
Resolving git.savannah.gnu.org... 208.118.235.72
Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol
Unable to establish SSL connection.

Chromium says:
This site can’t provide a secure connection

git.savannah.gnu.org sent an invalid response.
Learn more about this problem.
ERR_SSL_PROTOCOL_ERROR

This works just fine though: https://savannah.gnu.org/ and 
https://gnu.org/ and https://www.gnu.org/

As a reminder, letsencrypt and startssl are a thing - both provide free 
certs. If that's the issue.

But I presume there must be another reason why there's no https, 
therefore would you please consider hosting it somewhere like github? or 
if github isn't inline with GNU(for whatever reasons, eg. license), then 
surely notabug.org is(according to libreboot which recommends it instead 
of github)! Please, pretty please, consider it. At the very least you 
could host a mirror/clone there(if not make it the permanent home of the 
repo.) and someone(a dev) could push to both without even having two 
remotes(ie. just the origin remote with two push urls is okay); so when 
push-ing, both savannah and notabug would get updated(see below how), 
and thus we(the users) could use the notabug link to get master.tar.gz 
which would then be https.
It would be something like this:
https://https://notabug.org/guixuser/guix/archive/master.tar.gz
(so it's .gz not .xz, is that worse than serving it over plain http?)
I would actually recommend github for increased reliability, but 
whatever! As long as it's not served over http anymore! Or find some way 
of signing it? that's going to be harder than this!

Here's how to have two push refs in the same remote(origin):
Suppose that this
git remove -v show
shows this:
origin	https://github.com/gorhill/uMatrix.git (fetch)
origin	https://github.com/gorhill/uMatrix.git (push)
Then to add another push url to the same origin remote, you'd do:
re-add the already existing push url(from above):
git remote set-url --add --push origin 
https://github.com/gorhill/uMatrix.git
now, this
git remote -v show
would show no changes!
and now add the new one:
git remote set-url --add --push origin 
git@HIDDEN:somethingelse/uMatrix.git
and now, this
git remote -v show
would show:
origin	https://github.com/gorhill/uMatrix.git (fetch)
origin	https://github.com/gorhill/uMatrix.git (push)
origin	git@HIDDEN:somethingelse/uMatrix.git (push)

So when you do 'git push', it will push to both (so it will prompt for 
your ssh key password twice).

Of course for you the 'https://' urls from above would be 'git@' 
instead! (they just happen to be https for me, since I don't have push 
access)

I want to be honest here: this bug is a show stopper for me! It makes me 
draw certain unfavorable conclusions about the mentality and seriousness 
of the guix project devs. I wish it wouldn't, but really can you blame 
me? I want to use guix but not until something's done about this so that 
MITM is unlikely to happen here. At the very least let me pull this over 
https, please!

If you use notabug.org then not only we(the users) can get/clone the git 
repo over https, but we can also get/clone it over ssh! (instead of over 
just plain git://). So that'd be two rabbits in one shot!

Please let me know if anything is going to be done about this, so that I 
would know what to do next: wait or move on. No hard feels. Presumably 
any direct answer would be better than no answer, so that I would know 
what to do, rather than waste time waiting for an answer...
Thank you and I appreciate your time in reading all this!

-signed, an idiot. ;-) #whohasselfesteemamirite





Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 30 Apr 2016 06:56:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 30 02:56:47 2016
Received: from localhost ([127.0.0.1]:56355 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1awOpa-0002tl-MT
	for submit <at> debbugs.gnu.org; Sat, 30 Apr 2016 02:56:47 -0400
Received: from eggs.gnu.org ([208.118.235.92]:48281)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mtg@HIDDEN>) id 1awMli-0008Af-At
 for 22883 <at> debbugs.gnu.org; Sat, 30 Apr 2016 00:44:38 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mtg@HIDDEN>) id 1awMlT-00031q-71
 for 22883 <at> debbugs.gnu.org; Sat, 30 Apr 2016 00:44:29 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:47614)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <mtg@HIDDEN>)
 id 1awMlK-0002zC-Le; Sat, 30 Apr 2016 00:44:14 -0400
Received: from localhost ([::1]:53428 helo=mikegerwitz-pc.gerwitz.local)
 by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <mtg@HIDDEN>)
 id 1awMlD-0000Ov-Ie; Sat, 30 Apr 2016 00:44:07 -0400
From: Mike Gerwitz <mtg@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
In-Reply-To: <20160426001359.GA23088@jasmine> (Leo Famulari's message of "Mon, 
 25 Apr 2016 20:13:59 -0400")
Date: Sat, 30 Apr 2016 00:43:55 -0400
Message-ID: <874majg0z8.fsf@HIDDEN>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha1; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -6.0 (------)
X-Debbugs-Envelope-To: 22883
X-Mailman-Approved-At: Sat, 30 Apr 2016 02:56:45 -0400
Cc: Christopher Allan Webber <cwebber@HIDDEN>, 22883 <at> debbugs.gnu.org,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hey, guys.  Chris mentioned this thread to me.  I'm happy to see the
discussion!

Chris: unfortunately, my `mml-secure-openpgp-encrypt-to-self` flag
somehow got unset when I sent you my reply, so I can't read my own
message.  But I'll rewrite some of it here.

On Mon, Apr 25, 2016 at 20:13:59 -0400, Leo Famulari wrote:
>> Note that we=E2=80=99ll be signing patches we push on behalf of contribu=
tors who
>> do not have commit access (reviewer=E2=80=99s responsibility).
>>=20
>> Also, rebasing, amending, and cherry-picking code signed by someone else
>> would lose the original signature, which isn=E2=80=99t great and should =
be
>> avoided, if possible.
>
> I think it's common to make minor edits when committing on behalf of
> others. For example, the committer might clean up a commit message or
> standardize indentation.
>
> How should we handle this?

You don't.

One of the core purposes of digital signatures is to ensure integrity of
the signed data: if I submit a patch, I don't want someone else
modifying it and saying it was my own, or saying it was modified without
supplying a diff; that'd be a misrepresentation; a horror story
almost. ;)

The question is for what purpose you're signing commits.  Chris
mentioned trust, but that can come in a few different forms.  Signatures
ensure:

  - Authentication: whether the commit came from a trusted source;
  - Integrity: assurance that the commit has not been modified; and
  - Non-repudiation of origin: the signer cannot deny signing it.

If you only care about authentication, then it doesn't matter if the
signature is retained---it only matters that the person who eventually
signs off on the commit is trusted.  In that case, just sign it.

If it's integrity, then make another commit that changes the
original.  I recommend this regardless, for the reason I stated above;
just branch, apply their commits, your change, and merge.

For non-repudiation assurances, you'll need to keep the original
signature as well.  This might be useful, say, in the case of issues
with copyright assignments---maybe an employer holds copyright on the
code and the employee claims he/she isn't the person that actually
submitted it.

All of this subject to the usual crypo-caveats (no compromised private
key, yadda yadda).

Now, what is being signed isn't actually the code---it's the contents of
the commit object, which includes a SHA-1 hash of the tree, parent
commit(s), author, committer, timestamp, and commit message:

=2D-8<---------------cut here---------------start------------->8---
$ git cat-file -p 7062845
tree 7d21b900c0773d7fdc898aecff11053a910ac18d
parent 2b56dc019a049b2f68ce078b243fc313fbaeacf3
author Ludovic Court=C3=A8s <ludo@HIDDEN> 1461943404 +0200
committer Ludovic Court=C3=A8s <ludo@HIDDEN> 1461945944 +0200
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
[...]
 -----END PGP SIGNATURE-----

nls: Add Simplified Chinese translation.

[...]
=2D-8<---------------cut here---------------end--------------->8---

My point with this[*] is that the GPG signature you receive isn't
meaningful in the case of a rebase---if it signed blobs or a diff, maybe
it would be.  But since rebasing will eventually cause the GPG-signed
commit to be GC'd (unless there's a ref to it), you can't modify the
commit and just reference the old diff with the original signature.

More details in a discussion with Whonix here:

  https://web.archive.org/web/20150619232904/https://www.whonix.org/forum/i=
ndex.php?topic=3D538.msg4278#msg4278

So if you do want to clean up or squash GPG-signed changes from
contributors, or do other rebasing, then I'd either push back and tell
them to do it, or maybe have them send GPG-signed _patches_ to a public
mailing list where it can be permanently archived; then everyone can see
the original.


[*] SHA-1 was never intended to be used as a security measure in
Git---nor should it be; SHA-1 is effectively broken with the
demonstration of a freestart collision last year (where the attacker
controls the IV; but it's only a matter of time).  So if a collision can
be found for any of those signed SHA-1 hashes---or any hashes they
reference---_that actually makes sense to Git and humans_, then your
signature will still be perfectly valid.  But distribution archives are
also GPG-signed, so Git will never be the only place of reference.

I need to update my article, but I'm essentially saying that it's really
hard to have strong cryptographic assurances with Git even with signed
commits---that attack surface is simply too large, as I mentioned in the
Whonix discussion.  Realistically, it's extremely unlikely that
something will ever happen, but until Git switches to a secure hash
algorithm (...har har), don't expect full integrity.  If you're using
signatures for authorization primarily, then you don't really need to
worry.

=2D-=20
Mike Gerwitz
Free Software Hacker | GNU Maintainer & Volunteer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXJDgMAAoJEPIruBWO4w6rUocP/Rv6NmA+nUb9lcdlBIpVpqLJ
f9F4q4Ov4JI4yoNwiiZQqjm0qRBZvk8yIWoGm4FNAcgfXUVXHx1lGLuF+Hyr1SK4
8Q2AlRisHleMfEkKvmccZn+CgU1D3Qq7z0BGQezZY8GhYGGbWySHNq2IlCW5JCwZ
CpdN1G0QZJhaPgxNWMxeTFcarreszbWd70Hf/SYN2V+Clk8xsvqvUFcYF5mPZAUU
czvcCtZ6Zoy5qtqRvDuSvqQmOEIcDedywSGE7PP+RIU8iMl/d5w/IO//2aP8T9XQ
NIfxZkDnxmnZT5VlpsdwSRHZu9OcG7uIcgh+65B5mYKX5UehH33m+BdouqxgrCS8
pnPW9+2o9db7L7JcQSvwspF0zCp+UTL+3mWpjfiagy3zwF41LX3QaLgmYI1V5RnK
+IE/TxTJQvYHXMHr5xfTxuMJtbpLNEuuZvMUwIvbeCFhmzBbeq7VAXWkrUFCxtjE
ciNJbmOsusPMlz2h92iryqBl5S67pdSDAZvBNHrY6KG3Yj5CWCRVYuxf4SnfDhY2
Y5vvbSfEqaVesSNDnalBvqM1Rur+t70qdaIc0d6NLwSahejwhIroLCeJ7n7xbAta
AyX0aL2hvtGiJyN8/AfZVINLDRnD3DaoGaQA/r9PF3Bhg1COYnPz7wbh8SNTMVcH
iaLnRJ8yC/LgdfMNilbo
=MRud
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 26 Apr 2016 07:12:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 26 03:12:48 2016
Received: from localhost ([127.0.0.1]:47411 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1auxAu-0001fV-Bx
	for submit <at> debbugs.gnu.org; Tue, 26 Apr 2016 03:12:48 -0400
Received: from eggs.gnu.org ([208.118.235.92]:59246)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1auxAs-0001fJ-Do
 for 22883 <at> debbugs.gnu.org; Tue, 26 Apr 2016 03:12:46 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1auxAh-000414-WA
 for 22883 <at> debbugs.gnu.org; Tue, 26 Apr 2016 03:12:40 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42630)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1auxAh-000410-T7; Tue, 26 Apr 2016 03:12:35 -0400
Received: from pluto.bordeaux.inria.fr ([193.50.110.57]:35456 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1auxAg-0005KC-NH; Tue, 26 Apr 2016 03:12:35 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: "Thompson\, David" <dthompson2@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine>
 <CAJ=Rwfbzn5WASeHUHGiB9Gum+Cy+5R-cd5iLgBXs+n4O4ekXqQ@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 8 =?utf-8?Q?Flor=C3=A9al?= an 224 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x3D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-unknown-linux-gnu
Date: Tue, 26 Apr 2016 09:12:32 +0200
In-Reply-To: <CAJ=Rwfbzn5WASeHUHGiB9Gum+Cy+5R-cd5iLgBXs+n4O4ekXqQ@HIDDEN>
 (David Thompson's message of "Mon, 25 Apr 2016 20:17:21 -0400")
Message-ID: <8760v4268v.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -4.4 (----)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, Leo Famulari <leo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.4 (----)

Hello!

"Thompson, David" <dthompson2@HIDDEN> skribis:

> On Mon, Apr 25, 2016 at 8:13 PM, Leo Famulari <leo@HIDDEN> wrote:
>
>> I think it's common to make minor edits when committing on behalf of
>> others. For example, the committer might clean up a commit message or
>> standardize indentation.
>>
>> How should we handle this?
>
> You would sign the commit yourself if you are committing on behalf of
> someone else.

Right.  The (minor) issue I was referring to arises when one committer
massages signed commits from another committer.

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 26 Apr 2016 00:17:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Apr 25 20:17:28 2016
Received: from localhost ([127.0.0.1]:47163 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1auqgy-0006W7-EA
	for submit <at> debbugs.gnu.org; Mon, 25 Apr 2016 20:17:28 -0400
Received: from mail-yw0-f171.google.com ([209.85.161.171]:34069)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dthompson2@HIDDEN>) id 1auqgw-0006Vu-Mu
 for 22883 <at> debbugs.gnu.org; Mon, 25 Apr 2016 20:17:26 -0400
Received: by mail-yw0-f171.google.com with SMTP id j74so208923103ywg.1
 for <22883 <at> debbugs.gnu.org>; Mon, 25 Apr 2016 17:17:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=worcester-edu.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc; bh=yh+bCeHUrycqCnuvwbjqEeEv1iz5nZcNyqpaZugOWFU=;
 b=1an3WtVNupm8aHBtkdbikFWRvlao/tD28vL2EbgX2YCfyNOR6902ytOlEm0768kKGq
 7m4GurwoJH6Lsss0t4/y4g4YaD9TRyBwEtOvXcxdnCY4CfhhFb1hiDNTTq7payn7gsqH
 7Y/3Pnfh3pD1hj1DoprvmGTD9EZ3eH/TXMMsReLGPqRmeFVW9DA0MFlvr+sCWqmsKpTj
 7s5T8qD3KdczIoqI0lBMtl3CvZ+GUtKaO8Xv3h8Vg1NDdAlaWC/RCEpADqs/l4nVXmzY
 HIT5q1VXZj3pA4TmlVpiImn9YMdhGPf+GOP2hBdderaLbnEUScEsr1Vb91jjMbZkeCnZ
 c2eQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc;
 bh=yh+bCeHUrycqCnuvwbjqEeEv1iz5nZcNyqpaZugOWFU=;
 b=AJAQu6fAjX3SLT0htZTIZ50gHcPTh/cqFVqdxF4MMrMr3HkfhFH6djes6Txc5b4Ro8
 e9LLWAvUTxkmmrd1o+7msGJI5h0flN4F+IBCt8FXRffDcAGNBrBDew0A9Q/keeIICncB
 pKQwLSD66OWVZzNjexsjG4Hsd6QeLk+hR3vDHdz4iKVemKqJw6Kr2v9fWgt2nKgVoNID
 7z+G/xlyJ7poW1BBu9RFLCfiVBPdG1ECgwr60GZF4jQH/GlkpAJ4G3AltYhi3vyM6Id6
 Gm2KTIpyoPcKFPUcOmEkyDS3/Fq9AzGquvKnk/6qAzdbo8+Dz2za1P4G4K62824MEfGn
 KsJg==
X-Gm-Message-State: AOPr4FX3aYlKiCU5jfuARTr6EFr+I8PVeBCj5fyGsWFamKd+n+7pUAMcRJdJeGZ66QmhQgeMga9jOHWmQzuwbQ==
MIME-Version: 1.0
X-Received: by 10.129.89.134 with SMTP id n128mr25344085ywb.102.1461629841114; 
 Mon, 25 Apr 2016 17:17:21 -0700 (PDT)
Received: by 10.37.8.5 with HTTP; Mon, 25 Apr 2016 17:17:21 -0700 (PDT)
In-Reply-To: <20160426001359.GA23088@jasmine>
References: <87io14sqoa.fsf@HIDDEN> <87h9ep8gxk.fsf@HIDDEN>
 <20160426001359.GA23088@jasmine>
Date: Mon, 25 Apr 2016 20:17:21 -0400
Message-ID: <CAJ=Rwfbzn5WASeHUHGiB9Gum+Cy+5R-cd5iLgBXs+n4O4ekXqQ@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
From: "Thompson, David" <dthompson2@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Content-Type: text/plain; charset=UTF-8
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org, =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

On Mon, Apr 25, 2016 at 8:13 PM, Leo Famulari <leo@HIDDEN> wrote:

> I think it's common to make minor edits when committing on behalf of
> others. For example, the committer might clean up a commit message or
> standardize indentation.
>
> How should we handle this?

You would sign the commit yourself if you are committing on behalf of
someone else.

- Dave




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 26 Apr 2016 00:14:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Apr 25 20:14:01 2016
Received: from localhost ([127.0.0.1]:47159 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1auqdc-0004mj-V6
	for submit <at> debbugs.gnu.org; Mon, 25 Apr 2016 20:14:01 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:47456)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1auqdb-0004mZ-0c
 for 22883 <at> debbugs.gnu.org; Mon, 25 Apr 2016 20:13:59 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 974FF205E1
 for <22883 <at> debbugs.gnu.org>; Mon, 25 Apr 2016 20:13:58 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute5.internal (MEProxy); Mon, 25 Apr 2016 20:13:58 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 cc:content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-sasl-enc
 :x-sasl-enc; s=mesmtp; bh=HbRXh1aHgyQ52+siPd2kksD9Ax0=; b=AY67fm
 MIlKaCmd6bv46hkjReqcZs1Ckl8x7ZiL3jRy87rWqimiVCoFqv/N3+PzrYLoz/FY
 Q3WG3kuaXuJb940lRZe3f2K6sdteJoq3jYjv78ADpkTnWOgbCoBwcsOGpCp1bRlU
 zqJyY41DUjt4U/vr6gRNz2ocmemOGcmR9beC8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=HbRXh1aHgyQ52+s
 iPd2kksD9Ax0=; b=e76l+EF5u74UucwpBaMN83J2/MM7hNNpfLKtPi6iJYu62/9
 s9oR6FjcGTpdIVOCcazF7ehA8cwC48Ci0VGmrKHJ6noNIDtGKxZ2k9tRfsz4VlaY
 WrniG2guuM/smuhjdDP+kmNktELjfBi8eqLma7AimeYiXhs/SJrCk9nUYneE=
X-Sasl-enc: sSnSNso29RADYpGueVXWMR2uR5XnNx3ExFTTg1Ses/pD 1461629638
Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231])
 by mail.messagingengine.com (Postfix) with ESMTPA id 57A156801D6;
 Mon, 25 Apr 2016 20:13:58 -0400 (EDT)
Date: Mon, 25 Apr 2016 20:13:59 -0400
From: Leo Famulari <leo@HIDDEN>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
Message-ID: <20160426001359.GA23088@jasmine>
References: <87io14sqoa.fsf@HIDDEN>
 <87h9ep8gxk.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87h9ep8gxk.fsf@HIDDEN>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 22883
Cc: Christopher Allan Webber <cwebber@HIDDEN>, 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Tue, Apr 26, 2016 at 12:25:11AM +0200, Ludovic Courtès wrote:
> Hello!
> 
> Christopher Allan Webber <cwebber@HIDDEN> skribis:
> 
> > On top of that, even if you run from git proper what there isn't a test
> > about is: can you trust those latest commits?  Git doesn't really check,
> > at least by default.
> >
> >   https://mikegerwitz.com/papers/git-horror-story
> >
> > How about this: anyone with commit access should use "signed off by" and
> > gpg signatures combined.  We should keep some list of guix committers'
> > gpg keys.  No commit should be pushed to guix without a gpg signature.
> > At this point, at least, there is some possibility of auditing things.
> 
> To make progress on this front, I’ve decided to start signing all my
> commits, so:
> 
> --8<---------------cut here---------------start------------->8---
> $ git config commit.gpgsign
> true
> $ git config --global user.signingkey
> 090B11993D9AEBB5
> --8<---------------cut here---------------end--------------->8---
> 
> I invite everyone to do the same.  Hopefully, within a few weeks, we can
> add a commit hook to reject unsigned commits.

Okay.

> Note that we’ll be signing patches we push on behalf of contributors who
> do not have commit access (reviewer’s responsibility).
> 
> Also, rebasing, amending, and cherry-picking code signed by someone else
> would lose the original signature, which isn’t great and should be
> avoided, if possible.

I think it's common to make minor edits when committing on behalf of
others. For example, the committer might clean up a commit message or
standardize indentation.

How should we handle this?




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 25 Apr 2016 22:25:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Apr 25 18:25:29 2016
Received: from localhost ([127.0.0.1]:46987 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1auowb-0003pM-10
	for submit <at> debbugs.gnu.org; Mon, 25 Apr 2016 18:25:29 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39639)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1auowZ-0003p7-HG
 for 22883 <at> debbugs.gnu.org; Mon, 25 Apr 2016 18:25:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1auowQ-0005iZ-F0
 for 22883 <at> debbugs.gnu.org; Mon, 25 Apr 2016 18:25:22 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33651)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1auowQ-0005iV-CQ; Mon, 25 Apr 2016 18:25:18 -0400
Received: from reverse-83.fdn.fr ([80.67.176.83]:57924 helo=pluto)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1auowP-0007mx-Jr; Mon, 25 Apr 2016 18:25:18 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: Christopher Allan Webber <cwebber@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
References: <87io14sqoa.fsf@HIDDEN>
Date: Tue, 26 Apr 2016 00:25:11 +0200
In-Reply-To: <87io14sqoa.fsf@HIDDEN> (Christopher Allan Webber's
 message of "Wed, 02 Mar 2016 10:03:59 -0800")
Message-ID: <87h9ep8gxk.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -4.4 (----)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.4 (----)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

Christopher Allan Webber <cwebber@HIDDEN> skribis:

> On top of that, even if you run from git proper what there isn't a test
> about is: can you trust those latest commits?  Git doesn't really check,
> at least by default.
>
>   https://mikegerwitz.com/papers/git-horror-story
>
> How about this: anyone with commit access should use "signed off by" and
> gpg signatures combined.  We should keep some list of guix committers'
> gpg keys.  No commit should be pushed to guix without a gpg signature.
> At this point, at least, there is some possibility of auditing things.

To make progress on this front, I=E2=80=99ve decided to start signing all my
commits, so:

=2D-8<---------------cut here---------------start------------->8---
$ git config commit.gpgsign
true
$ git config --global user.signingkey
090B11993D9AEBB5
=2D-8<---------------cut here---------------end--------------->8---

I invite everyone to do the same.  Hopefully, within a few weeks, we can
add a commit hook to reject unsigned commits.

Note that we=E2=80=99ll be signing patches we push on behalf of contributor=
s who
do not have commit access (reviewer=E2=80=99s responsibility).

Also, rebasing, amending, and cherry-picking code signed by someone else
would lose the original signature, which isn=E2=80=99t great and should be
avoided, if possible.

What remains to be seen, among other things, is how we=E2=80=99ll maintain a
keyring of the committers, and how we=E2=80=99ll distribute it to users of =
=E2=80=98guix
pull=E2=80=99; the TUF spec has clever ideas about it, but we need to see h=
ow
they map to our setup.

Thoughts?

Ludo=E2=80=99.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXHplLAAoJEAkLEZk9muu1UcEP/RykKMk+zQP/f1Wm4/TRGlje
IRTV9HXlLk8jPosxBGARfuKPyN+9lLgzU9kd7xlO/usgEZhSk9dyFY8JgpbAvWUH
G5+Z2ZlgDwQJbjNBz4qLvqpXVeFyh1Wys4zd80k+CA4dbC/OgumaJf76f3B1GRAa
gd1+IWQEcaLzKy+As2A0cRs5GWjsnBR5Sss7GSnFHx0jP2JIm5Z1n7JJ+aj4r9iF
DDgrQn01/gT04bVbnQ7UO4Oze4L4i1YoVagO5jj5KEMff/YmP53hiD5jeIEuTzer
/mFDGzwfgHdyGIPR3/dXL50in+Wcml52ig0oIacRYewBkF5cjT3p/VOx88lRhZ/S
Yo2Rp6NgBCP+F/yzCU2OgZQfpw2/Y01wz7/ChvhwtmYYR/aCbfrDuxO9yYUI2Ffg
RF9ai6iefzJFNRU9Ld97ksUL94JOgJEOoBigNs79hC+iNJ9ap9a958dkYbYL1N+W
lcDZx7YuBcufmOIKxmvzzSNMmhXi9gsb+fPhRP7LYozze4fNVYF1OSZ/qF3PCjYv
S8cnKr16L6xnlTFVvaspuJWKMtN5XQKHZ9NfJ2FubBhW6jEEYTuusRtnZgnLJtZ8
VyUIXWdpfI5ZOcEz1ZF1PBpWBUJ4avJdC1TOOqWWJ8r1WGCenJxhPSnDwB+MD4iO
lodcnhZ5pUPl4+NzOe/P
=L7A9
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.
Severity set to 'serious' from 'normal' Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 2 Mar 2016 21:07:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Mar 02 16:07:09 2016
Received: from localhost ([127.0.0.1]:58184 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1abDzB-00011u-6B
	for submit <at> debbugs.gnu.org; Wed, 02 Mar 2016 16:07:09 -0500
Received: from dustycloud.org ([50.116.34.160]:52584)
 by debbugs.gnu.org with esmtp (Exim 4.84)
 (envelope-from <cwebber@HIDDEN>) id 1abDzA-00011n-11
 for 22883 <at> debbugs.gnu.org; Wed, 02 Mar 2016 16:07:08 -0500
Received: from oolong (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 3DBE7266F6;
 Wed,  2 Mar 2016 16:07:05 -0500 (EST)
References: <87io14sqoa.fsf@HIDDEN> <20160302192642.GA16774@jasmine>
User-agent: mu4e 0.9.13; emacs 24.5.1
From: Christopher Allan Webber <cwebber@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
In-reply-to: <20160302192642.GA16774@jasmine>
Date: Wed, 02 Mar 2016 13:07:04 -0800
Message-ID: <878u20si6f.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Leo Famulari writes:

> On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote:
>> Right now, when a user does a "guix pull", that pulls down the latest
>> repository of code from git, which is kept in a tarball.  Once you
>> receive the latest code, this has some checks: what's the hash of each
>> package, etc.
>
> A discussion worth having. But, let's merge this bug into
> debbugs.gnu.org/22629.

I'm not sure they should be merged, though they're related.  That thread
doesn't deal at all with security, though it provides some other good
ideas.  It even says:

  PS: I do not mention the issue of authenticating code here, which is
      obviously very important and deserves to be treated separately.

However I have no objections to merging them if others think we should

> Also, we should read "The Update Framework" as requested there.

This?  https://theupdateframework.github.io/

There seem to be quite a few papers there!




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at 22883 <at> debbugs.gnu.org:


Received: (at 22883) by debbugs.gnu.org; 2 Mar 2016 19:26:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Mar 02 14:26:44 2016
Received: from localhost ([127.0.0.1]:58119 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1abCQ0-00075T-A1
	for submit <at> debbugs.gnu.org; Wed, 02 Mar 2016 14:26:44 -0500
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:37515)
 by debbugs.gnu.org with esmtp (Exim 4.84)
 (envelope-from <leo@HIDDEN>) id 1abCPy-00075L-1E
 for 22883 <at> debbugs.gnu.org; Wed, 02 Mar 2016 14:26:42 -0500
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 67C1820A13;
 Wed,  2 Mar 2016 14:26:40 -0500 (EST)
Received: from frontend2 ([10.202.2.161])
 by compute3.internal (MEProxy); Wed, 02 Mar 2016 14:26:40 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h=
 cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=jqkpY
 uXpM3Y8If5Dt1cvSDhSZB8=; b=x/wVsMrwQ3IHR2x0wMtrUd2dXKzIs26p6r4FZ
 iRb/FKuXEjYzBZG0lidMBVE9U5z8sXoNSzOl9+hiEycAlS1LD23t+czr3PjRcu0n
 qEXn9IgMa/N3Gf8AcEZESb40ismzSGNqwg2uUnDSB5vIZdGCwMCTdgwyGPBKwNqb
 abxBiA=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-sasl-enc
 :x-sasl-enc; s=smtpout; bh=jqkpYuXpM3Y8If5Dt1cvSDhSZB8=; b=h3fJK
 IzDwUKCUY6PT6lCiYjGo9/a7EWy7I8tlBQwBn+eymFOHvwxMIMYN7fien8WsdM06
 lwc3qKgYKHuLmZWnSCR5qzkRH+JKItHhbsqS5ryc095BNonIVlFBppAvNG22lpTn
 ekG0o914nfXHfs/86Q4Lq55ZraHXPnaadn4PF0=
X-Sasl-enc: /wlmlTbc3QjLa6843S0kEWbvLtASLJIeGH9VSboVzSE0 1456946800
Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231])
 by mail.messagingengine.com (Postfix) with ESMTPA id 1FC4A6801B9;
 Wed,  2 Mar 2016 14:26:40 -0500 (EST)
Date: Wed, 2 Mar 2016 14:26:42 -0500
From: Leo Famulari <leo@HIDDEN>
To: Christopher Allan Webber <cwebber@HIDDEN>
Subject: Re: bug#22883: Trustable "guix pull"
Message-ID: <20160302192642.GA16774@jasmine>
References: <87io14sqoa.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87io14sqoa.fsf@HIDDEN>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 22883
Cc: 22883 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote:
> Right now, when a user does a "guix pull", that pulls down the latest
> repository of code from git, which is kept in a tarball.  Once you
> receive the latest code, this has some checks: what's the hash of each
> package, etc.

A discussion worth having. But, let's merge this bug into
debbugs.gnu.org/22629. Also, we should read "The Update Framework" as
requested there.

> 
> Unfortunately, it's delivered over http:
> 
>   (define %snapshot-url
>     ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
>     "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
>     )
> 
> At minimum we should deliver this over HTTPS, ideally with a single
> certificate that is trusted by the user, so the user can't be easily
> MITM'ed.
> 
> On top of that, even if you run from git proper what there isn't a test
> about is: can you trust those latest commits?  Git doesn't really check,
> at least by default.
> 
>   https://mikegerwitz.com/papers/git-horror-story
> 
> How about this: anyone with commit access should use "signed off by" and
> gpg signatures combined.  We should keep some list of guix committers'
> gpg keys.  No commit should be pushed to guix without a gpg signature.
> At this point, at least, there is some possibility of auditing things.
> 
> Perhaps before a master.tar.gz is made, there can be some integrity
> check of the commits matching the current set of "trusted" keys?
> 
> 
> 




Information forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 2 Mar 2016 18:04:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Mar 02 13:04:21 2016
Received: from localhost ([127.0.0.1]:58055 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1abB8H-0003JO-JM
	for submit <at> debbugs.gnu.org; Wed, 02 Mar 2016 13:04:21 -0500
Received: from eggs.gnu.org ([208.118.235.92]:59603)
 by debbugs.gnu.org with esmtp (Exim 4.84)
 (envelope-from <cwebber@HIDDEN>) id 1abB8F-0003JC-Tq
 for submit <at> debbugs.gnu.org; Wed, 02 Mar 2016 13:04:20 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1abB89-0002X9-Q3
 for submit <at> debbugs.gnu.org; Wed, 02 Mar 2016 13:04:14 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:35916)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1abB89-0002X0-NY
 for submit <at> debbugs.gnu.org; Wed, 02 Mar 2016 13:04:13 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50447)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1abB85-0004tC-9m
 for bug-guix@HIDDEN; Wed, 02 Mar 2016 13:04:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1abB80-0002RE-Uu
 for bug-guix@HIDDEN; Wed, 02 Mar 2016 13:04:09 -0500
Received: from dustycloud.org ([50.116.34.160]:47356)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1abB80-0002QT-Rr
 for bug-guix@HIDDEN; Wed, 02 Mar 2016 13:04:04 -0500
Received: from oolong (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 5E9C9266F6
 for <bug-guix@HIDDEN>; Wed,  2 Mar 2016 13:04:00 -0500 (EST)
User-agent: mu4e 0.9.13; emacs 24.5.1
From: Christopher Allan Webber <cwebber@HIDDEN>
To: bug-guix@HIDDEN
Subject: Trustable "guix pull"
Message-ID: <87io14sqoa.fsf@HIDDEN>
Date: Wed, 02 Mar 2016 10:03:59 -0800
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.0 (----)

Right now, when a user does a "guix pull", that pulls down the latest
repository of code from git, which is kept in a tarball.  Once you
receive the latest code, this has some checks: what's the hash of each
package, etc.

Unfortunately, it's delivered over http:

  (define %snapshot-url
    ;; "http://hydra.gnu.org/job/guix/master/tarball/latest/download"
    "http://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz"
    )

At minimum we should deliver this over HTTPS, ideally with a single
certificate that is trusted by the user, so the user can't be easily
MITM'ed.

On top of that, even if you run from git proper what there isn't a test
about is: can you trust those latest commits?  Git doesn't really check,
at least by default.

  https://mikegerwitz.com/papers/git-horror-story

How about this: anyone with commit access should use "signed off by" and
gpg signatures combined.  We should keep some list of guix committers'
gpg keys.  No commit should be pushed to guix without a gpg signature.
At this point, at least, there is some possibility of auditing things.

Perhaps before a master.tar.gz is made, there can be some integrity
check of the commits matching the current set of "trusted" keys?




Acknowledgement sent to Christopher Allan Webber <cwebber@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#22883; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sun, 2 Sep 2018 17:15:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.