[I intended to CC the following to guix-devel but forgot:] ------- Forwarded Message ------- From: Ryan Prior <rpr...@protonmail.com> Date: On Saturday, March 16th, 2024 at 6:36 PM Subject: Re: Concerns/questions around Software Heritage Archive To: Vivien Kraus <viv...@planete-kraus.eu>
> > > On Saturday, March 16th, 2024 at 6:13 PM, Vivien Kraus > viv...@planete-kraus.eu wrote: > > > 2. is more difficult, because Guix contributors sometimes change their > > names too, and a commit reading “update my name” is not the best > > solution. If I understand correctly, rewriting the history would be > > understood as a “downgrade attack”, contrary to the ftfy case where the > > developer could rewrite the history without such consequences. Is my > > understanding correct? > > > It's only a problem IMO because we make the decision to treat Guix as an > append-only series of commits and treat any other outcome as a potential > attack. One alternate solution would be to allow provision of an > authenticated alternate-history data structure, which indicates a set of (old > commit hash, new commit hash) tuples going back to the first rewritten commit > in the history, and the whole thing would be signed by a Guix committer. That > way, the updating Guix client can rewind history, apply the new commit(s), > verify that the old chain and new chain match what's provided in the > alternate-history structure & that its signature is valid. Thus verified, the > Guix installation could continue without needing to allow a downgrade > exception. > > Perhaps there are much better ways of handling this, but I propose it in > hopes of clarifying that there are technical solutions which preserve > integrity while permitting history rewrites in situations where it is > desirable. > > I have requested previously that some commits I've provided be rewritten to > update my name. In my case, it's because I've sometimes misconfigured my > email software such that some commits by me are signed just "ryan" or "Ryan > Prior via Protonmail" or similar, rather than my preference which is "Ryan > Prior". > > In my case this causes me no harm and is simply an annoyance, so when I > encountered resistance to rewriting the offending commits, I dropped the > matter, and I still consider it dropped and settled. Even if we developed the > capability to securely present a rewritten history, I wouldn't demand that > such be used to address small concerns like mine. > > However, I know we have at least two trans Guix contributors. Do they have > any commits with their deadnames on them? Not that this is an invitation to > go look; they can tell us if this is a concern worth raising. I include the > detail to clarify that this is not a distant concern. Perhaps they have been > silent thus far for the same reason that I have, because the policy against > rewrites presents too high a barrier? (Or it may not bother them, or maybe > they used their initials which are the same etc?) In any case I think it > would be courteous to develop a procedure by which we could remove deadnames > from old commits, or otherwise remove harmful information from Guix's > development history, should this become a necessity. > > Ryan