Re: Help! I messed up guix-past

[zimoun]

Hi,

On Sat, 10 Sep 2022 at 12:27, Ludovic Courtès <ludovic.courtes@inria.fr> wrote:

> Yes, in this particular case, it is the only way forward.

As shown in another message, there is just a warning about stalling.
However, no error and the packages are available.

Therefore, I do not understand the authentication mechanism.  Because I
was expecting to have an error and that pull forces me to run
--disable-authentication.


> That said, I think authenticating source code is important.  Starting
> from a few months ago, Git supports other means to do that, but they’re
> not widespread and not all that attractive.  With all its warts, OpenPGP
> is what we have to do that.

All code are not equal.  Most of the packages in guix-past are very old
packages and I bet they contain many security holes.  So I am happy to
know that I fetch authenticated security holes. ;-)


> It would be sad to fork the repo for this reason; maybe we can discuss
> ways to make it practical for you, such as creating a single-purpose key
> that you wouldn’t have to worry much about?

>From my point of view, authentication of guix-past adds more burden than
it solves concrete issues of real problem.

I suggest to just drop the authentication for this channel.


Cheers,
simon