Ludovic Courtès <l...@gnu.org> skribis:
> • Generalize that to channels.
As I see it, the generalization would be made by adding the
authentication parameters to the ‘.guix-channel’ file, along these
lines:
(channel
(version 0)
(keyring-reference "my-keyring-branch")
(historical-authorizations ".guix-authorizations.old"))
where:
• ‘keyring-reference’ specifies the branch where to look for *.key
files that constitute the keyring. It can be ‘master’ and have the
key mixed up with other files if that’s OK for the channel. By
default, it could be the current branch.
• ‘historical-authorizations’ specifies a file to load in this branch
and that contains a ‘.guix-authorizations’-formatted list of
fingerprints for commits that lack a ‘.guix-authorizations’ file.
By default, we could ignore historical commits—more specifically,
commits whose parent(s) lack(s) ‘.guix-authorizations’. It does
mean that if an authorized commit removes ‘.guix-authorizations’,
then we’re back to unauthenticated commits.
‘guix pull’ would error out before attempting to build anything if
authentication fails. It could display a warning when pulling a commit
whose parent(s) lack(s) ‘.guix-authorizations’.
Thoughts?
In terms of code, everything is already there, so it’d be mostly about
moving code around and double-checking the new data formats since
they’ll be hard to change.
In terms of processes, it’ll be tricky: if we committers make a mistake
(sign with the wrong key, forget to add a new committer’s key, etc.),
nobody is able to pull. In such a case, we’ll probably have to do a
hard-reset of the affected branch.
It would be best if we had a server-side hook to perform all these
checks, so that we don’t encounter such problems. That would mean
running some of this code on Savannah, I don’t know if it’ll be
possible. If it’s not, we can set up our own Git repo elsewhere and
make Savannah a mirror.
More thoughts? :-)
Ludo’.
