On 11.03.2021 20:16, Leo Famulari wrote: > On Thu, Mar 11, 2021 at 12:15:19AM +0100, Taylan Kammer wrote: >> Damn, sorry about that. I assumed of course that an improperly signed >> commit would not be accepted, so I didn't pay any special mind. > > The security model is based on the client-side, i.e. `guix pull`. That > way, we don't have to trust the Git repo. We do want to improve the repo > so that it's not possible to push commits signed with unauthorized keys, > but that hasn't been done yet. > >> However, I also assumed that adding a new GPG key to my savannah.gnu.org >> account would be sufficient. I did that via the web interface, and >> ensured that the encryption test is successful. The commit is signed >> with that new GPG key. > > Adding your key(s) to your Savannah account is a required step... > >> Are the GPG keys added to one's Savannah account unrelated to commit >> signing in the Guix repo, or are they not automatically synced, or is >> this a further bug?.. > > ... but, we have a new code authentication system, described in the > manual section Specifying Channel Authorizations: > > https://guix.gnu.org/manual/en/html_node/Specifying-Channel-Authorizations.html > > Basically, committers' keys must be added to the .guix-authorizations > file in the Git repo before their work will be accepted by `guix pull`. > > We are really happy that you are pushing code again :) > > When this issue popped up yesterday, I removed your commit access just > to avoid further broken commits. Concretely, this means that I removed > you from the Guix "group" on Savannah. > > However, I want to re-add you as a committer. Please read the manual > sections Commit Access. Especially, the part about the pre-push Git > hook, which would have caught this issue before pushing. > > https://guix.gnu.org/manual/en/html_node/Commit-Access.html > > Let me know when you've read the updated committer workflow guidelines > and installed the pre-push Git hook, and we'll add your new key to > .guix-authorizations, re-add you to the Savannah group, and then we can > continue with our happy hacking :)
Thanks for the kind explanation! I'll get in touch when I'm not so out of the loop anymore. To be honest I was just "summoned" by a bug report on guile-bytestructures and am otherwise still overloaded with work life plus personal projects outside of free software. - Taylan
