Hi Simon,
zimoun <zimon.toutoune@gmail.com> skribis:
Toggle quote (7 lines)
> From my understanding, there are 4 situations>> 1- add signed material to a signed channel> 2- introduce authentication to an unsigned channel> 3- add unsigned material to a signed channel> 4- add unsigned material to unsigned channel
I’m not sure what material you have in mind.
There are in my view only two situations: a channel that can beauthenticated (it has signed commits, ‘.guix-authorizations’, and an“introduction”), and one that cannot.
The idea is that a channel that can be authenticated would remain thatway “forever”.
Toggle quote (12 lines)
> And I am interested by how it works for the situation #3. For a> concrete example of 3., e.g.,>> git clone https://git.savannah.gnu.org/git/guix.git> git worktree add -b foo wk/foo> cd wk/foo> # add my unready stuff> ./pre-inst-env guix pull --branch=foo --url=$PWS -p /tmp/foo> /tmp/foo/bin/guix install unready-stuff>> In this case, do I have to use the option '--disable-authentication'?
Yes, you can always use it.
Toggle quote (3 lines)
> And this is the scenario for almost all the patches on guix-patches;> even if 'pull' is generally not necessary when testing the patch. :-)
Right. When hacking, I just use ./pre-inst-env to test my stuff.
Toggle quote (8 lines)
> Another example is let consider that this channel [2] -- or any other> public one used by labs to publish specific tools; I am not aware> about one by INRIA ;-) -- and let imagine that this channel is> authenticated, i.e., there is a '.guix-authorizations' file. Now, can> I fork this channel and my unsigned material without entering in the> security dance? Do I need to use the option> '--disable-authentication'?
Note that this patch set changes nothing for third-party channels.(Attentive readers will find out how to make an authenticated channel,but it’s undocumented and inconvenient to use.)
In the future, I think ‘guix pull’ will merely print a warning whenusing an unauthenticated channel. That’s something we’ll have todiscuss.
If you want to fork an “authenticated channel”, you don’t have to keepit authenticated. In essence, something who writes:
(channel (name 'zimoun) (url "https://zimoun.example.org"))
states that they want to fetch code from your channel, but that noauthentication will take place because there’s no ‘introduction’ field.
Toggle quote (6 lines)
> Moreover, if this forked channel is added to> '~/.config/guix/channels.scm', i.e., in addition to> '%default-channel', what happens for pulling? Well, it is not> possible to pull a signed channel and an "unauthorized fork from a> signed channel" in only one command, right?
With this patch set, ‘guix pull’ just behaves the same as now.In the future, it would probably just print a warning about theunauthenticated channel.
Toggle quote (4 lines)
> Well, I am sorry to be insistent but this authentication machinery> seems having an hard implication in my workflow and I would like to be> prepared.
Definitely, feedback like this is very helpful.
I think it’s important for all of us to think about the implications.Surely we want security, but not at the cost of usability.
Thanks,Ludo’.