review(redfix): wake #46 — Builder's 'strip userinfo is safe' CONFIRMED (refutation failed 3 ways); all 3 claims cold-verified; consumed inbox
This commit is contained in:
@ -1487,3 +1487,53 @@ non-republishing probe, and it says: not yet rotated.
|
||||
**Verdict: no VETO. `## DONE` stands. M1 + M2 PASS stand. Merge target `b5f2b10` unchanged.**
|
||||
|
||||
Did not read JOURNAL-redfix.md before forming this verdict.
|
||||
|
||||
---
|
||||
|
||||
## Wake #46 — 2026-07-09T09:08:14Z — Builder inbox (`9f7b46f`): "strip userinfo is safe" — I tried to REFUTE it three ways; **CONFIRMED**. Still no VETO.
|
||||
|
||||
Processed `ADVERSARY-INBOX.md` (Builder heads-up, `253ac71`/`9f7b46f`: folded A-redfix-1 into the B-redfix-8
|
||||
operator remedy, STATUS text only). Not a gate. **M1 + M2 PASS stand, `## DONE` stands, no VETO, merge target
|
||||
`b5f2b10` unchanged.** The Builder asked me to cold-check three falsifiable claims and named claim 2 as the
|
||||
one it most wanted refuted (if the strip breaks a push or a submodule fetch, its step 3 wedges the node).
|
||||
|
||||
**Claim 1 — value identity — CONFIRMED (re-verified independently at wake #45).** `.git/config` userinfo pw
|
||||
and orchestrator `.testenv` `GITEA_PASSWORD` both → `3fcea78925015fc9`; empty-input control → `e3b0c44298fc1c14`.
|
||||
Probe on cc-ci uses `sha256sum` (`python3` absent there). Still unrotated.
|
||||
|
||||
**Claim 2 — "stripping the userinfo is safe" — CONFIRMED; could not refute via any of three attack paths:**
|
||||
1. *A push via the userinfo URL?* No. The only `git push` in the deployed tree is
|
||||
`scripts/recipe-mirror-sync.sh:84-85`, which pushes to a `gitea` remote it `remote add`s **inside a recipe
|
||||
clone** (`MIRROR_PUSH`, OAuth-token URL) — **not** `/etc/cc-ci`'s `origin`. Nothing pushes via `origin`.
|
||||
2. *A submodule fetch that depends on the userinfo?* No — and this was the real risk. `/etc/cc-ci` has a
|
||||
`secrets` submodule (`cc-ci-secrets.git`). Its own config `/etc/cc-ci/.git/modules/secrets/config` already
|
||||
carries **no** userinfo (mode 644, userinfo=0), and the submodule remote is **anonymously fetchable**:
|
||||
`git -c credential.helper= ls-remote https://…/cc-ci-secrets.git HEAD` → rc=0. So `submodule update` works
|
||||
after the strip.
|
||||
3. *An automated fetch/pull of the deployed checkout that needs auth?* No. `/etc/cc-ci` is only ever the
|
||||
manual `git clone --recursive` (`configuration.nix:7`) and is thereafter updated via
|
||||
`nixos-rebuild switch --flake /etc/cc-ci` (local read, no network git). The nightly sweep runs **from** it
|
||||
(`CCCI_REPO=/etc/cc-ci`) but never `git pull`s it. Superproject itself is anonymously fetchable
|
||||
(`ls-remote …/cc-ci.git HEAD` → rc=0, helper disabled).
|
||||
Also checked: `/root/.git-credentials` exists (0600) but **no** `credential.helper` is wired
|
||||
(global/system both empty) → inert; the ls-remote successes above are truly anonymous (`-c credential.helper=`).
|
||||
|
||||
⇒ `git remote set-url origin https://git.autonomic.zone/recipe-maintainers/cc-ci.git` (strip) is safe for
|
||||
pull **and** submodule update, and is strictly better than re-embedding the rotated password (which would
|
||||
recreate the 0644 exposure). **Refutation attempt failed; claim stands.**
|
||||
|
||||
**Claim 3 — blast radius — CONFIRMED.** `GITEA_PASSWORD` consumed only by `scripts/bootstrap-drone-oauth.sh`
|
||||
(re-grepped origin/main); `recipe-mirror-sync.sh` pushes with the OAuth token at
|
||||
`/run/secrets/bridge_gitea_token`, not the password.
|
||||
|
||||
**Incidental (NOT a new finding — noted so it is on record):** `cc-ci-secrets.git` is publicly/anonymously
|
||||
readable, but `secrets.yaml` is **SOPS-encrypted** (`ENC[AES256_GCM,…`, `sops:` block present) — values are
|
||||
ciphertext, which is exactly SOPS's public-storage model. The decryption key is not in the repo. No plaintext
|
||||
exposure; no finding. (Called out because a public repo literally named "secrets" invites a double-take — I
|
||||
looked, and the encryption is the control.)
|
||||
|
||||
**Verdict: no VETO. `## DONE` stands. M1 + M2 PASS stand. Merge target `b5f2b10` unchanged.** All three
|
||||
Builder claims cold-confirmed; the strip-userinfo remedy is sound and I recommend it over re-embedding.
|
||||
A-redfix-1 + B-redfix-8 remain **OPEN / HIGH / operator-rotation-only** — sentinel says unrotated.
|
||||
|
||||
Did not read JOURNAL-redfix.md before forming this verdict.
|
||||
|
||||
Reference in New Issue
Block a user