bug#22883: Authenticating a Git checkout

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: Authenticating a Git checkout

From:	Ricardo Wurmus
Subject:	bug#22883: Authenticating a Git checkout
Date:	Fri, 27 Dec 2019 20:48:05 +0100
User-agent:	mu4e 1.2.0; emacs 26.3

Ludovic Courtès <address@hidden> writes:

> Hello,
>
> Just a note for later…
>
> address@hidden (Ludovic Courtès) skribis:
>
>> With the quick-hack libgit2 bindings attached, I can run this program,
>> which authenticates HEAD:
>
> [...]
>
>> So I think we can go from here.  Our repo would contain a Scheme list of
>> authorized OpenPGP fingerprints, and we’d check whether the fingerprint
>> that shows up in ‘valid-signature’ above is among them
>
> Storing the list of authorized keys in a file in the repo is
> inconvenient: simply to retrieve it, you’d need to make a checkout.  So
> for each commit we verify, we have to check out the whole repo, which is
> inefficient.
>
> While reading
> <http://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/>, I
> realized we could store in empty Git commit messages, which would
> address the above problem (we could use a custom object type too, but
> that would be less convenient.)
>
> So the special commit could look like:
>
>   Authorization
>
>   (commit-authorizations
>     (authorization-commit (KEY1 KEY2 …))
>     (files ("hydra.gnu.org.pub") (KEY1 KEY2 …))
>     (files _ (KEY1 KEY2 …))) ;all other files
>
> That way, to authenticate a commit, we first fetch the latest
> authorization commit, read the authorization rules from there, and make
> sure that the changes it makes match the rules.
>
> Thoughts?

Does this *have* to be baked into git?  Or are we like the carpenter
apprentice who just learned how to use a hammer and considers everything
to be a kind of nail…?

I see the appeal of having everything in git as that’s where the commits
are that should be authenticated, but using special commit messages
seems to me like shoehorning update authorization into a code revision
tool.

You mentioned that checking signatures on commits is also kinda slow
because it’s sequential and not cached.  I don’t know what I really
want, but is there perhaps a way to aggregate signatures on past commits
so that the client’s work is reduced…?

(I’m very glad you’re thinking about this problem and that you’ve come up
with practical steps forward!  I don’t know if my thoughts on this topic
are useful.)

--
Ricardo

[Prev in Thread]

Current Thread

[Next in Thread]

bug#22883: Authenticating a Git checkout, Ricardo Wurmus <=
- bug#22883: Authenticating a Git checkout, Ludovic Courtès, 2019/12/28
  - bug#22883: Authenticating a Git checkout, Ricardo Wurmus, 2019/12/28
    - bug#22883: Authenticating a Git checkout, Ludovic Courtès, 2019/12/28

Prev by Date: bug#38167: guix pull takes over 8 GiB of memory to finish if there are no substitutes
Next by Date: bug#22883: Authenticating Git checkouts: step #1
Previous by thread: bug#38764: emacs-darkroom: buggy display behavior and errors
Next by thread: bug#22883: Authenticating a Git checkout
Index(es):
- Date
- Thread