summary refs log tree commit diff
path: root/doc/guix.texi
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2020-06-08 12:01:24 +0200
committerLudovic Courtès <ludo@gnu.org>2020-06-16 16:10:47 +0200
commit43badf261f4688c8a7a7a9004a4bff8acb205835 (patch)
tree9e170e9088dc39219f2c7043972a1c9c61681b00 /doc/guix.texi
parent1e2b9bf2d4ed4edc9ed70c51f414bb2890074a21 (diff)
downloadguix-43badf261f4688c8a7a7a9004a4bff8acb205835.tar.gz
channels: 'latest-channel-instance' authenticates Git checkouts.
Fixes <https://bugs.gnu.org/22883>.

* guix/channels.scm (<channel>)[introduction]: New field.
(<channel-introduction>): New record type.
(%guix-channel-introduction): New variable.
(%default-channels): Use it.
(<channel-metadata>)[keyring-reference]: New field.
(%default-keyring-reference): New variable.
(read-channel-metadata, read-channel-metadata-from-source): Initialize
the 'keyring-reference' field.
(commit-short-id, verify-introductory-commit)
(authenticate-channel): New procedures.
(latest-channel-instance): Call 'authenticate-channel' when CHANNEL has
an introduction.
* tests/channels.scm (gpg+git-available?, commit-id-string): New
procedures.
("authenticate-channel, wrong first commit signer"):
("authenticate-channel, .guix-authorizations"): New tests.
* doc/guix.texi (Invoking guix pull): Mention authentication.
Diffstat (limited to 'doc/guix.texi')
-rw-r--r--doc/guix.texi6
1 files changed, 5 insertions, 1 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 6b4fa5b441..dd626816d0 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3721,13 +3721,17 @@ this option is primarily useful when the daemon was running with
 @cindex updating Guix
 @cindex @command{guix pull}
 @cindex pull
+@cindex security, @command{guix pull}
+@cindex authenticity, of code obtained with @command{guix pull}
 Packages are installed or upgraded to the latest version available in
 the distribution currently available on your local machine.  To update
 that distribution, along with the Guix tools, you must run @command{guix
 pull}: the command downloads the latest Guix source code and package
 descriptions, and deploys it.  Source code is downloaded from a
 @uref{https://git-scm.com, Git} repository, by default the official
-GNU@tie{}Guix repository, though this can be customized.
+GNU@tie{}Guix repository, though this can be customized.  @command{guix
+pull} ensures that the code it downloads is @emph{authentic} by
+verifying that commits are signed by Guix developers.
 
 Specifically, @command{guix pull} downloads code from the @dfn{channels}
 (@pxref{Channels}) specified by one of the followings, in this order: