diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2024-05-07 15:54:44 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2024-05-25 16:23:56 +0200 |
| commit | 73b3f941d7d911a1b2bb2bf77d37cb3a12ed4291 (patch) | |
| tree | e9bad56f9dd556a77c7fe52ade2a418b14d49716 /Makefile.am | |
| parent | 0efa1daad354216e9ce2adb078eb4d5254792e49 (diff) | |
maint: Suggest ‘guix git authenticate’ for initial authentication.
The previous recommendation, running ‘make authenticate’, was insecure
because it led users to run code from the very repository they want to
authenticate:
https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html
* Makefile.am (commit_v1_0_0, channel_intro_commit)
(channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove.
* Makefile.am (.git/hooks/%): New target, generalization of previous
‘.git/hooks/pre-push’ target.
(nodist_noinst_DATA): Add ‘.git/hooks/post-merge’.
* doc/contributing.texi (Building from Git): Suggest ‘guix git
authenticate’ instead of ‘make authenticate’.
* etc/git/post-merge: New file.
* etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make
authenticate’.
Reviewed-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Reported-by: Skyler Ferris <skyvine@protonmail.com>
Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd
Diffstat (limited to 'Makefile.am')
| -rw-r--r-- | Makefile.am | 30 |
1 files changed, 9 insertions, 21 deletions
diff --git a/Makefile.am b/Makefile.am index b4a06a52b8..d0364e9dad 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2012-2023 Ludovic Courtès <ludo@gnu.org> +# Copyright © 2012-2024 Ludovic Courtès <ludo@gnu.org> # Copyright © 2013 Andreas Enge <andreas@enge.fr> # Copyright © 2015, 2017 Alex Kost <alezost@gmail.com> # Copyright © 2016, 2018 Mathieu Lirzin <mthl@gnu.org> @@ -899,22 +899,6 @@ $(guix_install_go_files): install-nobase_dist_guilemoduleDATA install-data-hook: touch "$(DESTDIR)$(guileobjectdir)/guix/config.go" -# Commit corresponding to the 'v1.0.0' tag. -commit_v1_0_0 = 6298c3ffd9654d3231a6f25390b056483e8f407c - -# Introduction of the 'guix' channel. Keep in sync with (guix channels)! -channel_intro_commit = 9edb3f66fd807b096b48283debdcddccfea34bad -channel_intro_signer = BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA - -# Authenticate the current Git checkout by checking signatures on every commit. -GUIX_GIT_KEYRING = origin/keyring -authenticate: - $(AM_V_at)echo "Authenticating Git checkout..." ; \ - guix git authenticate \ - --keyring=$(GUIX_GIT_KEYRING) \ - --cache-key=channels/guix --stats \ - "$(channel_intro_commit)" "$(channel_intro_signer)" - # Assuming Guix is already installed and the daemon is up and running, this # rule builds from $(srcdir), creating and building derivations. as-derivation: @@ -1231,13 +1215,13 @@ cuirass-jobs: $(GOBJECTS) .PHONY: gen-ChangeLog gen-AUTHORS gen-tarball-version .PHONY: assert-no-store-file-names assert-binaries-available .PHONY: assert-final-inputs-self-contained check-channel-news -.PHONY: clean-go make-go as-derivation authenticate +.PHONY: clean-go make-go as-derivation .PHONY: update-guix-package update-NEWS cuirass-jobs release # Git auto-configuration. -.git/hooks/pre-push: etc/git/pre-push +.git/hooks/%: etc/git/% $(AM_V_at)if test -d .git; then \ - cp etc/git/pre-push .git/hooks/pre-push; \ + cp "$<" "$@"; \ fi .git/config: etc/git/gitconfig @@ -1260,7 +1244,11 @@ COMMIT_MSG_MAGIC = VGhpcyBpcyB0aGUgY29tbWl0LW1zZyBob29rIG9mIEd1aXg= # from a tarball. Do not add dependencies on these to *_DATA when building # from a tarball, as that breaks the build. if in_git_p -nodist_noinst_DATA = .git/hooks/pre-push .git/config .git/hooks/commit-msg +nodist_noinst_DATA = \ + .git/hooks/pre-push \ + .git/hooks/post-merge \ + .git/config \ + .git/hooks/commit-msg endif # Downloading up-to-date PO files. |