Hi all,
If you try to guix pull now, this is what you'll see:
guix pull: error: commit 39465409f0481f27d252ce25d2b02d3f5cbc6723
not signed by an authorized key:
2841 9AC6 5038 7440 C7E9 2FFA 2208 D209 58C1 DEB0
There is and was no security risk.
This is Guix working as intended in the presence of a commit pushed
earlier today. The failing commit[0] is benign, and the committer did
nothing wrong.
The commit is signed by a subkey of the main key that Guix expects, and
it does not deal well with that fact. This is something we'll have to
discuss and probably fix, both in Guix and in the git push hook on
Savannah[1].
I'm currently waiting to hear from the Savannah admins, who are the only
ones who can roll back master for us. I'm not aware of any way we could
do this ourselves. I'll follow up when it's done.
Until then, you can:
1. Not pull. If your Guix was relatively recent, you're not missing
much if anything.
2. If you must have the very latest (valid) commit, you can run:
guix pull --commit=ad878a2c5e5313c534ccf2546cb8c978e5295ae1
which will validate just fine.
3. I do NOT recommend disabling authentication. There is simply no
benefit to that.
TTYL,
T G-R
[0]:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=39465409f0481f27d252ce25d2b02d3f5cbc6723
[1]: Which has been deficient for years, which I've known about, and did
nothing about.
Sent from a Web browser. Excuse or enjoy my brevity.
