diff options
author | Ludovic Courtès <ludo@gnu.org> | 2020-06-08 12:01:24 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2020-06-16 16:10:47 +0200 |
commit | 43badf261f4688c8a7a7a9004a4bff8acb205835 (patch) | |
tree | 9e170e9088dc39219f2c7043972a1c9c61681b00 /doc/guix.texi | |
parent | 1e2b9bf2d4ed4edc9ed70c51f414bb2890074a21 (diff) | |
download | guix-43badf261f4688c8a7a7a9004a4bff8acb205835.tar guix-43badf261f4688c8a7a7a9004a4bff8acb205835.tar.gz |
channels: 'latest-channel-instance' authenticates Git checkouts.
Fixes <https://bugs.gnu.org/22883>.
* guix/channels.scm (<channel>)[introduction]: New field.
(<channel-introduction>): New record type.
(%guix-channel-introduction): New variable.
(%default-channels): Use it.
(<channel-metadata>)[keyring-reference]: New field.
(%default-keyring-reference): New variable.
(read-channel-metadata, read-channel-metadata-from-source): Initialize
the 'keyring-reference' field.
(commit-short-id, verify-introductory-commit)
(authenticate-channel): New procedures.
(latest-channel-instance): Call 'authenticate-channel' when CHANNEL has
an introduction.
* tests/channels.scm (gpg+git-available?, commit-id-string): New
procedures.
("authenticate-channel, wrong first commit signer"):
("authenticate-channel, .guix-authorizations"): New tests.
* doc/guix.texi (Invoking guix pull): Mention authentication.
Diffstat (limited to 'doc/guix.texi')
-rw-r--r-- | doc/guix.texi | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 6b4fa5b441..dd626816d0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3721,13 +3721,17 @@ this option is primarily useful when the daemon was running with @cindex updating Guix @cindex @command{guix pull} @cindex pull +@cindex security, @command{guix pull} +@cindex authenticity, of code obtained with @command{guix pull} Packages are installed or upgraded to the latest version available in the distribution currently available on your local machine. To update that distribution, along with the Guix tools, you must run @command{guix pull}: the command downloads the latest Guix source code and package descriptions, and deploys it. Source code is downloaded from a @uref{https://git-scm.com, Git} repository, by default the official -GNU@tie{}Guix repository, though this can be customized. +GNU@tie{}Guix repository, though this can be customized. @command{guix +pull} ensures that the code it downloads is @emph{authentic} by +verifying that commits are signed by Guix developers. Specifically, @command{guix pull} downloads code from the @dfn{channels} (@pxref{Channels}) specified by one of the followings, in this order: |