UX: print warning if substitute server is not authorized

Open

Details

2 participants

Chris Marusich
Ricardo Wurmus

Owner: unassigned

Submitted by: Ricardo Wurmus

Severity: normal

Ricardo Wurmus wrote on 17 Jan 2018 13:17

Recipients:(address . bug-guix@gnu.org)

Message-ID:idjpo681xyo.fsf@bimsb-sys02.mdc-berlin.net

Suppose I add example.com as a substitute server by passing

“--substitute-urls=https://example.com” to the daemon or the Guix

command line. I haven’t authorized the signing key, so Guix won’t

accept any of the substitutes from example.com.

Currently, Guix does not make it obvious to the user that a requested

substitute server is ignored because its key is not authorized. We

should print a clear warning in this case.

(guix scripts authenticate) already includes “validate-signature”, which

aborts with an error if the key is not authorized, but we don’t seem to

use it.

Ricardo

Chris Marusich wrote on 22 Jan 2018 08:08

Recipients:(name . Ricardo Wurmus)(address . ricardo.wurmus@mdc-berlin.de)(address . 30143@debbugs.gnu.org)

Message-ID:87a7x6xte0.fsf@gmail.com

Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> writes:

Toggle quote (13 lines)> Suppose I add example.com as a substitute server by passing
> “--substitute-urls=https://example.com” to the daemon or the Guix
> command line.  I haven’t authorized the signing key, so Guix won’t
> accept any of the substitutes from example.com.
>
> Currently, Guix does not make it obvious to the user that a requested
> substitute server is ignored because its key is not authorized.  We
> should print a clear warning in this case.
>
> (guix scripts authenticate) already includes “validate-signature”, which
> aborts with an error if the key is not authorized, but we don’t seem to
> use it.

What if example.com serves substitutes that are signed by another
server, such as hydra.gnu.org?  No matter where a substitute comes from,
if it was signed with an authorized key and its signature checks out,
then it's OK to use, right?

-- 
Chris

Ricardo Wurmus wrote on 23 Jan 2018 07:50

Recipients:(name . Chris Marusich)(address . cmmarusich@gmail.com)(address . 30143@debbugs.gnu.org)

Message-ID:87shaxyspx.fsf@mdc-berlin.de

Chris Marusich <cmmarusich@gmail.com> writes:

Toggle quote (20 lines)> Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> writes:
>
>> Suppose I add example.com as a substitute server by passing
>> “--substitute-urls=https://example.com” to the daemon or the Guix
>> command line.  I haven’t authorized the signing key, so Guix won’t
>> accept any of the substitutes from example.com.
>>
>> Currently, Guix does not make it obvious to the user that a requested
>> substitute server is ignored because its key is not authorized.  We
>> should print a clear warning in this case.
>>
>> (guix scripts authenticate) already includes “validate-signature”, which
>> aborts with an error if the key is not authorized, but we don’t seem to
>> use it.
>
> What if example.com serves substitutes that are signed by another
> server, such as hydra.gnu.org?  No matter where a substitute comes from,
> if it was signed with an authorized key and its signature checks out,
> then it's OK to use, right?

Correct.

Ricardo

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 30143@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 30143

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date