[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#57909] Add link to 'pre-inst-env' from 'installing from git' docs
|
From: |
Maxime Devos |
|
Subject: |
[bug#57909] Add link to 'pre-inst-env' from 'installing from git' docs |
|
Date: |
Sun, 18 Sep 2022 19:26:00 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 |
merge 57909 57910
thanks
The given example "make authenticate" is insecure, it has a TOCTTOU
problem as indicated at <https://issues.guix.gnu.org/22883#59>:
Moreover, I don't think running 'make authenticate' after 'git pull'
would really work -- after you pulled, git-authenticate could've been
modified, so the verify-commit you did earlier doesn't apply anymore.
The solution that was proposed
> We can solve it by removing ./pre-inst-env from the command in ‘make
> authenticate’.
would be undone by the proposed patch. Even then, it remains insecure,
as an attacker could have modified the "make authenticate", as explained
in more detail at <https://logs.guix.gnu.org/guix/2022-09-14.log#172610>.
As such, I think we really shouldn't recommend "make authenticate" (and
even remove "make authenticate". In fact, I think we should remove
"make authenticate" and replace the instructions with a direct "guix git
authenticate ...".
As such, I propose that:
* you adjust the patch to note that authenticating the checkout is
impossible if you don't already have Guix installed (instead of
recommending the insecure "make authenticate")
* I write a patch removing "make authenticate" and adjusting old uses
of "make authenticate" to "guix git authenticate ...".
Greetings,
Maxime.
OpenPGP_0x49E3EE22191725EE.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
bug#57909: Sorry - accidentally opened duplicate issues, Emma Turner, 2022/09/19