From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 28 12:32:05 2022 Received: (at submit) by debbugs.gnu.org; 28 Jan 2022 17:32:05 +0000 Received: from localhost ([127.0.0.1]:60415 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nDV6T-0000uC-13 for submit@debbugs.gnu.org; Fri, 28 Jan 2022 12:32:05 -0500 Received: from lists.gnu.org ([209.51.188.17]:49948) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nDV6Q-0000u3-4g for submit@debbugs.gnu.org; Fri, 28 Jan 2022 12:32:03 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60412) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nDV6P-000068-T5 for guix-patches@gnu.org; Fri, 28 Jan 2022 12:32:01 -0500 Received: from [2001:470:142:3::e] (port=33450 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nDV6P-0008PN-Ek; Fri, 28 Jan 2022 12:32:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=dq9IcKXPO6ORxKYv39S0RYu7MLL7ruLib5MV+thdYc4=; b=YuCKyOragxhdTQ Ewo9VoWYqpXDWK4L7fO4Mn0PrR7S7qKllvVbOICMQAD9YfhrMfUBDNv4SQs/vbWOwzLagiRjA1hdu IJWV4bXnWyh2ApPGLvaekDtzIVYsv1j+l1xxVeOEMnjaMCVbZDWeVTjUG8G8V/7mAW2ZxSQKOkBUG 7OU4oSbNLpTloDjsGrZ+nEpeLstxuNemSe/QQpD0IEPKRIWHLh+zMNwgF3kH6cnULtnhmrH5CqJL8 c4+iaozTM0RC5awpr4x/eVr1sK17Sb5ev0ehraEXm8IfM10ot2bR3bn9wV2tQQtvzLQPt0SUU96iB xCMJjGqURJNvr3Oh9/HA==; Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=33808 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nDV6M-00070m-Vx; Fri, 28 Jan 2022 12:31:59 -0500 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH 0/2] Rejecting commits unrelated to the introductory commit Date: Fri, 28 Jan 2022 18:31:42 +0100 Message-Id: <20220128173142.7072-1-ludo@gnu.org> X-Mailer: git-send-email 2.34.0 X-Debbugs-Cc: Maxime Devos , Attila Lendvai MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! This patch series fixes a bug in the checkout authentication code: it would be possible to authenticate a commit unrelated to the introductory commit, provided that target commit passes the authorization invariant (see the commit log for details). Users of Guix and of third-party channels are safe: this bug does not have any impact on checkout authentication in those cases. What concrete cases are affected? Suppose someone forks Guix and publishes a new channel introduction for their fork. The expectation is that any branch started before the introductory channel, for instance in the original Guix repo, would fail to be authenticated. However, because of this bug, such a branch would be considered authentic in the fork because all its commits pass the authorization invariant (IOW, they are authentic in the original repository). Thoughts? Ludo'. Ludovic Courtès (2): git: Add 'commit-descendant?'. git-authenticate: Ensure the target is a descendant of the introductory commit. doc/guix.texi | 4 ++- guix/git-authenticate.scm | 17 ++++++++-- guix/git.scm | 24 +++++++++++++- tests/channels.scm | 60 +++++++++++++++++++++++++++++++++- tests/git-authenticate.scm | 44 +++++++++++++++++++++++++ tests/git.scm | 52 ++++++++++++++++++++++++++++- tests/guix-git-authenticate.sh | 17 ++++++++-- 7 files changed, 210 insertions(+), 8 deletions(-) base-commit: 5052f76afd02e27d6484acf74c86bfa1b6f9cd0e -- 2.34.0