[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#22883: Authenticating a Git checkout
|
From: |
Ludovic Courtès |
|
Subject: |
bug#22883: Authenticating a Git checkout |
|
Date: |
Tue, 19 May 2020 22:23:00 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hello!
Ludovic Courtès <address@hidden> skribis:
> The list of authorized committers is meant to be stored in a
> ‘.guix-authorizations’ file in each branch of the channel. It is
> essentially a list of fingerprints:
>
>
> https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-openpgp&id=f145a2d1a982cc841c7ccae3334d4783dad24a1e
>
> To accept a new committer, an authorized committer must add its key to
> this file in the branch(es) where that person is expected to commit.
> The format currently accepts additional data for each fingerprint. It’s
> currently ignored, but I thought it could be useful in the future, for
> instance if we want to associate a file pattern with a key.
>
> A commit is considered “authorized” if and only if its signing key is
> listed in the ‘.guix-authorizations’ file of its parent commit(s).
The good news with this model is that an adversary cannot trick users
into fetching an unrelated branch where the authorizations would be
different: they can always detect that it’s a disconnected branch or
that it’s not a fast-forward pull.
The bad news is that this also prevents “unauthorized forks” in general.
Unless Guix folks explicitly push a commit authorizing the key of the
person who forks, commits by that person will appear as unauthorized.
So we need an extra mechanism to say: “this fork starts here”. However,
modifications to that piece of information must be detectable so that
one cannot serve a malicious fork that pretends to forego history.
Ludo’.