From 73b3f941d7d911a1b2bb2bf77d37cb3a12ed4291 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 7 May 2024 15:54:44 +0200 Subject: maint: Suggest ‘guix git authenticate’ for initial authentication. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous recommendation, running ‘make authenticate’, was insecure because it led users to run code from the very repository they want to authenticate: https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html * Makefile.am (commit_v1_0_0, channel_intro_commit) (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove. * Makefile.am (.git/hooks/%): New target, generalization of previous ‘.git/hooks/pre-push’ target. (nodist_noinst_DATA): Add ‘.git/hooks/post-merge’. * doc/contributing.texi (Building from Git): Suggest ‘guix git authenticate’ instead of ‘make authenticate’. * etc/git/post-merge: New file. * etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make authenticate’. Reviewed-by: Maxim Cournoyer Reported-by: Skyler Ferris Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd --- etc/git/pre-push | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'etc/git/pre-push') diff --git a/etc/git/pre-push b/etc/git/pre-push index 59671b0d583..325b23854bb 100755 --- a/etc/git/pre-push +++ b/etc/git/pre-push @@ -32,7 +32,9 @@ do # Only use the hook when pushing to Savannah. case "$2" in *.gnu.org*) - exec make authenticate check-channel-news + set -e + make check-channel-news + exec guix git authenticate exit 127 ;; *) -- cgit v1.3