From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 25 20:14:01 2016 Received: (at 22883) by debbugs.gnu.org; 26 Apr 2016 00:14:01 +0000 Received: from localhost ([127.0.0.1]:47159 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1auqdc-0004mj-V6 for submit@debbugs.gnu.org; Mon, 25 Apr 2016 20:14:01 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:47456) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1auqdb-0004mZ-0c for 22883@debbugs.gnu.org; Mon, 25 Apr 2016 20:13:59 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 974FF205E1 for <22883@debbugs.gnu.org>; Mon, 25 Apr 2016 20:13:58 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Mon, 25 Apr 2016 20:13:58 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=HbRXh1aHgyQ52+siPd2kksD9Ax0=; b=AY67fm MIlKaCmd6bv46hkjReqcZs1Ckl8x7ZiL3jRy87rWqimiVCoFqv/N3+PzrYLoz/FY Q3WG3kuaXuJb940lRZe3f2K6sdteJoq3jYjv78ADpkTnWOgbCoBwcsOGpCp1bRlU zqJyY41DUjt4U/vr6gRNz2ocmemOGcmR9beC8= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=HbRXh1aHgyQ52+s iPd2kksD9Ax0=; b=e76l+EF5u74UucwpBaMN83J2/MM7hNNpfLKtPi6iJYu62/9 s9oR6FjcGTpdIVOCcazF7ehA8cwC48Ci0VGmrKHJ6noNIDtGKxZ2k9tRfsz4VlaY WrniG2guuM/smuhjdDP+kmNktELjfBi8eqLma7AimeYiXhs/SJrCk9nUYneE= X-Sasl-enc: sSnSNso29RADYpGueVXWMR2uR5XnNx3ExFTTg1Ses/pD 1461629638 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 57A156801D6; Mon, 25 Apr 2016 20:13:58 -0400 (EDT) Date: Mon, 25 Apr 2016 20:13:59 -0400 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#22883: Trustable "guix pull" Message-ID: <20160426001359.GA23088@jasmine> References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87h9ep8gxk.fsf@gnu.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 22883 Cc: Christopher Allan Webber , 22883@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Tue, Apr 26, 2016 at 12:25:11AM +0200, Ludovic Courtès wrote: > Hello! > > Christopher Allan Webber skribis: > > > On top of that, even if you run from git proper what there isn't a test > > about is: can you trust those latest commits? Git doesn't really check, > > at least by default. > > > > https://mikegerwitz.com/papers/git-horror-story > > > > How about this: anyone with commit access should use "signed off by" and > > gpg signatures combined. We should keep some list of guix committers' > > gpg keys. No commit should be pushed to guix without a gpg signature. > > At this point, at least, there is some possibility of auditing things. > > To make progress on this front, I’ve decided to start signing all my > commits, so: > > --8<---------------cut here---------------start------------->8--- > $ git config commit.gpgsign > true > $ git config --global user.signingkey > 090B11993D9AEBB5 > --8<---------------cut here---------------end--------------->8--- > > I invite everyone to do the same. Hopefully, within a few weeks, we can > add a commit hook to reject unsigned commits. Okay. > Note that we’ll be signing patches we push on behalf of contributors who > do not have commit access (reviewer’s responsibility). > > Also, rebasing, amending, and cherry-picking code signed by someone else > would lose the original signature, which isn’t great and should be > avoided, if possible. I think it's common to make minor edits when committing on behalf of others. For example, the committer might clean up a commit message or standardize indentation. How should we handle this?