Felix Lechner <felix.lech...@lease-up.com> writes:

> Okay, thanks!  In that case, I will get my fingerprint, upon failure,
> from the .guix_authorizations files in all other channels---specifically
> from the most recent commits there.

Hmm, OK. That could work, but would probably open up a larger attack
surface; Tomas had a similar idea to yours, and I shared some concerns
there [1].

That said, it's possible that those attack vectors are just not that
significant in your own personal threat model, as Tomas noted in his
reponse to me [2]. Which is fine. I on the other hand am aiming for a
solution that the whole community can rely on, so I do have to worry
about those attack vectors if there's even the slightest chance they
could affect anyone at all.

> I'm okay relying on previous authentication decisions made locally even
> after a key used for past commits is no longer available from another
> channel, or after that channel was dropped.

This would probably mean that if you drop a compromised key from your
own channel, and that key was used to sign your commits to your fork,
and then you have to delete and re-clone your fork and authenticate the
whole thing from scratch, it won't work... but I think that's what you
meant by "I'm okay relying on previous authentication decisions made
locally". Cool.

(Don't mind me, I'm just mining every single fork-authentication-related
message I can find for possible improvements to my proposal :D)

Good luck,
45mg

[1] https://yhetil.org/guix/87ikqcgjsa....@gmail.com/
[2] https://yhetil.org/guix/8734harh6k....@wolfsden.cz/

Reply via email to