Message ID | 20200608215224.2672-1-ludo@gnu.org |
---|---|
Headers | show |
Ludovic Courtès <ludo@gnu.org> skribis: > This patch series does it! It integrates checkout authentication > with (guix channels). Now, ‘guix pull’, ‘guix time-machine’ etc. > automatically authenticate the commits they fetch and raise an > error if they find an unsigned commit or a commit signed by an > unauthorized party¹. [...] > ¹ https://issues.guix.gnu.org/issue/22883#64 Something we didn’t discuss is that this model forbids a merge-request kind of workflow, or at least the person who merges must sign the commits, rewriting the merged branch. I think it’s a reasonable tradeoff in this space, but it’s worth keeping in mind. Ludo’.
Hello Guix! Ludovic Courtès <ludo@gnu.org> skribis: > This patch series does it! It integrates checkout authentication > with (guix channels). Now, ‘guix pull’, ‘guix time-machine’ etc. > automatically authenticate the commits they fetch and raise an > error if they find an unsigned commit or a commit signed by an > unauthorized party¹. Last days to comment on this change! :-) https://issues.guix.gnu.org/41767 If there are no objections by then, I’ll push on Tuesday 16th. Ludo’.
Hi Ludo, Thank you for explaining. All is clear. :-) >> git clone https://git.savannah.gnu.org/git/guix.git >> git worktree add -b foo wk/foo >> cd wk/foo >> # add my unready stuff >> ./pre-inst-env guix pull --branch=foo --url=$PWS -p /tmp/foo >> /tmp/foo/bin/guix install unready-stuff >> >> In this case, do I have to use the option '--disable-authentication'? > > Yes, you can always use it. "Qui peut le plus peut le moins." ;-) The question is: is it mandatory? > Note that this patch set changes nothing for third-party channels. > (Attentive readers will find out how to make an authenticated channel, > but it’s undocumented and inconvenient to use.) > > In the future, I think ‘guix pull’ will merely print a warning when > using an unauthenticated channel. That’s something we’ll have to > discuss. > > If you want to fork an “authenticated channel”, you don’t have to keep > it authenticated. In essence, something who writes: > > (channel (name 'zimoun) (url "https://zimoun.example.org")) > > states that they want to fetch code from your channel, but that no > authentication will take place because there’s no ‘introduction’ field. The root of my question is answered. :-) And I do not know if I am an attentive reader but my concerns were about this future discussion. So let discuss that in the future. ;-) Thank you for this nice piece of work! All the best, simon ps: Sorry for the delay, I changed how I process emails and this message "disappeared". And I am not sure this answer will be correctly delivered. Sorry in advance if I mess something.