Hello! Ludovic Courtès skribis: > The list of authorized committers is meant to be stored in a > ‘.guix-authorizations’ file in each branch of the channel. It is > essentially a list of fingerprints: > > https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-openpgp&id=f145a2d1a982cc841c7ccae3334d4783dad24a1e > > To accept a new committer, an authorized committer must add its key to > this file in the branch(es) where that person is expected to commit. > The format currently accepts additional data for each fingerprint. It’s > currently ignored, but I thought it could be useful in the future, for > instance if we want to associate a file pattern with a key. > > A commit is considered “authorized” if and only if its signing key is > listed in the ‘.guix-authorizations’ file of its parent commit(s). The good news with this model is that an adversary cannot trick users into fetching an unrelated branch where the authorizations would be different: they can always detect that it’s a disconnected branch or that it’s not a fast-forward pull. The bad news is that this also prevents “unauthorized forks” in general. Unless Guix folks explicitly push a commit authorizing the key of the person who forks, commits by that person will appear as unauthorized. So we need an extra mechanism to say: “this fork starts here”. However, modifications to that piece of information must be detectable so that one cannot serve a malicious fork that pretends to forego history. Ludo’.