Le 11 mars 2021 08:11:38 GMT-05:00, Taylan Kammer <taylan.kammer@gmail.com> a écrit :
On 11.03.2021 08:37, Maxime Devos wrote:
On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
[...]
Damn, sorry about that. I assumed of course that an improperly signed
commit would not be accepted, so I didn't pay any special mind.
However, I also assumed that adding a new GPG key to my savannah.gnu.org
account would be sufficient.
"guix pull" only looks at the git repo (the .guix-authorizations file + the
keyring branch), and not anything else provided by savannah. Doing so would
introduce an additional point where the "guix pull" mechanism could be
compromised. The git repository could as well have been hosted at
$RANDOM_SPY_AGENCY or $RANDOM_FORGE.
(See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and
‘7.4 Invoking ‘guix git authenticate’’).
Thanks, makes sense.
I'm hopping workstations recently, and my general habit is to create new
keys on each machine I'm using and register them where ever needed.
(E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.)
I guess I shouldn't do that with Guix push access and instead keep a GPG
key on a USB drive or such.
- Taylan