Commit pushed to master with unauthorised signature

[Tobias Geerinckx-Rice]

Guix,

I have very little time to write a proper post-mortem.  Luckily, 
thanks to the prompt help of rwp of #savannah fame and Ludo's sane 
‘guix pull’ design, there's not much to report, although there's 
something to improve.

Despite the scary title, at no point did anything untoward or 
malicious happen.  Users were not at risk.

Earlier today the following commit was pushed to master:

--8<---------------cut here---------------start------------->8---
commit 15092548804b6c50ea276d098f76a79bd0042398
gpg: Signature made Wed Mar 10 19:55:39 2021 CET
gpg:                using RSA key 
51A0982A58B64622464833085EEB3986CB2F65ED
gpg: Good signature from "Taylan Kammer (Debian10VM) 
<taylan.kammer@gmail.com>" [unknown]
Primary key fingerprint: 51A0 982A 58B6 4622 4648  3308 5EEB 3986 
CB2F 65ED
Author: Taylan Kammer <taylan.kammer@gmail.com>

   gnu: guile-bytestructures: Update to 1.0.10.

   * gnu/packages/guile.scm (guile-bytestructures): Update to 
   1.0.10.
--8<---------------cut here---------------end--------------->8---

The key with fingerprint 51A0 982A 58B6 4622 4648  3308 5EEB 3986 
CB2F 65ED is not present in .guix-authorizations, nor in the 
‘keyring’ branch.  This broke ‘guix pull’ for all users[0]:

--8<---------------cut here---------------start------------->8---
guix pull: error: could not authenticate commit 
15092548804b6c50ea276d098f76a79bd0042398: key 51A0 982A 58B6 4622 
4648 3308 5EEB 3986 CB2F 65ED is missing
--8<---------------cut here---------------end--------------->8---

The only solution to that is to remove the offending commit 
upstream.  Our Savannah git repository does not allow deleting or 
force-pushing master for safety reasons.  Helpful Bob Proulx of 
the Savannah team manually reset the remote master branch back to 
the previous[1] commit.

I have pushed Taylan's commit as 
b1eb7448370bbd4d494cf9f3fddae88dd0de2ca3, signed with my own key.

The good news is that ‘guix pull’ commit authentication has passed 
real-world testing, and that the mess was relatively transparent 
to users: ‘guix pull’ continues to work without extra options, 
even for those who pulled between 150925 and b1eb74 and got a 
scary error.

The less-good news is that our remote git hook should never have 
allowed this to happen in the first place, and that this weakness 
has been known for... well, a while[2].  Any committer can DoS 
guix pull in a way that even the maintainers can't fix unaided.

This also highlights the fact that many people[3] are currently 
unconditionally trusted with commit access.  This includes 
‘currently inactive members’: Savannah has no way to disable or 
even restrict commit access (to specific branches, subdirectories, 
or even repositories(?)) without removing membership altogether. 
The chance of mistakes, key confusion, forgotten commit privileges 
grows.

lfam has started removing certain inactive people from this list, 
but removing people is not a fun job nor something one proactive 
volunteer should be tasked with alone.

Kind regards,

T G-R

[0]: https://logs.guix.gnu.org/guix/2021-03-10.log#205043
[1]: 60174c9c8c307be43450af38ce7c4e268278e07c,
[2]: 
https://savannah.nongnu.org/support/?func=detailitem&item_id=109104
[3]: https://savannah.gnu.org/project/memberlist.php?group=guix

signature.asc
Description: PGP signature