Hi Felix! Felix Lechner <felix.lech...@lease-up.com> writes:
>> similar in scope or design to my current implementation? > > Dunno. I didn't understand the discussion. > > I plan to merge the keyrings of all channels before checking new > commits. My own channel will provide the key I need. Um, OK. I think there may be some details I'm missing here, but in the interest of effort deduplication and (hopefully) just being helpful, here's some unsolicited advice from someone who has worked on this problem way longer than is healthy. I'll try not to presume any specific level of knowledge here. Consider the design of the authentication mechanism [1]. Specifically, the authorization invariant: to authenticate a commit, a key needs to be in the .guix_authorizations file of all of its parent commits. (Just being in the keyring is not enough; the keyring itself is unauthenticated.) This is the main challenge I've faced in doing authenticated forks. Take, for example, your own fork [2]. It seems you're rebasing the 'lechner-experimental' branch on top of master regularly, and pulling (unauthenticated) from that [3]. To have authentication with this design, you'll need to specify the first commit of 'lechner-experimental' as your channel introduction. Furthermore, that commit's hash will change after every rebase, so you'll need to update your introduction every time you rebase, and pull with '--allow-downgrades' that time. If you want to benefit from the existing discussion and work that has been done on this topic, the thread for my initial proposal [4] should cover basically everything; my current proposal [5] is based on ideas shared there. Note also that your workflow is similar to the workflow that Atilla shared [6]. Unless, of course, you've managed to come up with something much simpler that completely sidesteps all of these problems, that none of us have had the right perspective to see. That would be cool! Good luck, 45mg [1] https://guix.gnu.org/blog/2020/securing-updates/ [2] https://codeberg.org/lechner/guix-mirror/src/branch/lechner-experimental [3] https://yhetil.org/guix/CAFHYt55Zd9jY=-_r_hddr-xbovssmnimikxh+p9yng9oxke...@mail.gmail.com/ [4] https://yhetil.org/guix/878qrednyx....@gmail.com/ [5] https://yhetil.org/guix/cover.1738357415.git.45mg.wri...@gmail.com/ [6] https://yhetil.org/guix/87ikqerimt....@gmail.com/
