Re: Guix git master reset

info-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Guix git master reset

From:	Tobias Geerinckx-Rice
Subject:	Re: Guix git master reset
Date:	Thu, 11 Mar 2021 11:20:26 +0100

Tobias Geerinckx-Rice 写道：

There was nothing wrong with the reverted commit; it was simplysigned
with a different key than ‘guix pull’ expects.

To generalise: ‘guix pull’ already tries not to trust mirrors byindependently verifying GPG commits, assuming you've pulled froman uncompromised repository once before.

Mirrors that cautiously refuse to update to a reset head offer nosecurity advantage, but they will silently serve old (and possiblyvulnerable) packages to users.


Kind regards,

T G-R

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Guix git master reset, Tobias Geerinckx-Rice, 2021/03/11
- Re: Guix git master reset, Tobias Geerinckx-Rice <=

Prev by Date: Guix git master reset
Next by Date: Risk of local privilege escalation via guix-daemon
Previous by thread: Guix git master reset
Next by thread: Risk of local privilege escalation via guix-daemon
Index(es):
- Date
- Thread