| Message ID | 20220128173142.7072-1-ludo@gnu.org |
|---|---|
| Headers | show |
| Series | Rejecting commits unrelated to the introductory commit | expand |
Howdy Maxime & Attila, Did you have a chance to look into this series? https://issues.guix.gnu.org/53608 It’s relatively simple but I’d rather have other eyeballs looking at it. TIA. :-) Ludo’. Ludovic Courtès <ludo@gnu.org> skribis: > Hello! > > This patch series fixes a bug in the checkout authentication code: > it would be possible to authenticate a commit unrelated to the > introductory commit, provided that target commit passes the > authorization invariant (see the commit log for details). > > Users of Guix and of third-party channels are safe: this bug does > not have any impact on checkout authentication in those cases. > > What concrete cases are affected? Suppose someone forks Guix and > publishes a new channel introduction for their fork. The expectation > is that any branch started before the introductory channel, for > instance in the original Guix repo, would fail to be authenticated. > However, because of this bug, such a branch would be considered > authentic in the fork because all its commits pass the authorization > invariant (IOW, they are authentic in the original repository). > > Thoughts? > > Ludo'. > > Ludovic Courtès (2): > git: Add 'commit-descendant?'. > git-authenticate: Ensure the target is a descendant of the > introductory commit. > > doc/guix.texi | 4 ++- > guix/git-authenticate.scm | 17 ++++++++-- > guix/git.scm | 24 +++++++++++++- > tests/channels.scm | 60 +++++++++++++++++++++++++++++++++- > tests/git-authenticate.scm | 44 +++++++++++++++++++++++++ > tests/git.scm | 52 ++++++++++++++++++++++++++++- > tests/guix-git-authenticate.sh | 17 ++++++++-- > 7 files changed, 210 insertions(+), 8 deletions(-) > > > base-commit: 5052f76afd02e27d6484acf74c86bfa1b6f9cd0e
Ludovic Courtès schreef op wo 09-02-2022 om 00:02 [+0100]: > Howdy Maxime & Attila, > > Did you have a chance to look into this series? > > https://issues.guix.gnu.org/53608 > > It’s relatively simple but I’d rather have other eyeballs looking at it. > > TIA. :-) The concept seems reasonable to me but I cannot tell if the implementation is good or bad. Greetings, Maxime.
Hello! This patch series fixes a bug in the checkout authentication code: it would be possible to authenticate a commit unrelated to the introductory commit, provided that target commit passes the authorization invariant (see the commit log for details). Users of Guix and of third-party channels are safe: this bug does not have any impact on checkout authentication in those cases. What concrete cases are affected? Suppose someone forks Guix and publishes a new channel introduction for their fork. The expectation is that any branch started before the introductory channel, for instance in the original Guix repo, would fail to be authenticated. However, because of this bug, such a branch would be considered authentic in the fork because all its commits pass the authorization invariant (IOW, they are authentic in the original repository). Thoughts? Ludo'. Ludovic Courtès (2): git: Add 'commit-descendant?'. git-authenticate: Ensure the target is a descendant of the introductory commit. doc/guix.texi | 4 ++- guix/git-authenticate.scm | 17 ++++++++-- guix/git.scm | 24 +++++++++++++- tests/channels.scm | 60 +++++++++++++++++++++++++++++++++- tests/git-authenticate.scm | 44 +++++++++++++++++++++++++ tests/git.scm | 52 ++++++++++++++++++++++++++++- tests/guix-git-authenticate.sh | 17 ++++++++-- 7 files changed, 210 insertions(+), 8 deletions(-) base-commit: 5052f76afd02e27d6484acf74c86bfa1b6f9cd0e