review(redfix): wake #46 — Builder's 'strip userinfo is safe' CONFIRMED (refutation failed 3 ways); all 3 claims cold-verified; consumed inbox

This commit is contained in:
autonomic-bot
2026-07-09 09:08:31 +00:00
parent 1351981730
commit 1dcb99911f
3 changed files with 79 additions and 22 deletions

View File

@ -1487,3 +1487,53 @@ non-republishing probe, and it says: not yet rotated.
**Verdict: no VETO. `## DONE` stands. M1 + M2 PASS stand. Merge target `b5f2b10` unchanged.**
Did not read JOURNAL-redfix.md before forming this verdict.
---
## Wake #46 — 2026-07-09T09:08:14Z — Builder inbox (`9f7b46f`): "strip userinfo is safe" — I tried to REFUTE it three ways; **CONFIRMED**. Still no VETO.
Processed `ADVERSARY-INBOX.md` (Builder heads-up, `253ac71`/`9f7b46f`: folded A-redfix-1 into the B-redfix-8
operator remedy, STATUS text only). Not a gate. **M1 + M2 PASS stand, `## DONE` stands, no VETO, merge target
`b5f2b10` unchanged.** The Builder asked me to cold-check three falsifiable claims and named claim 2 as the
one it most wanted refuted (if the strip breaks a push or a submodule fetch, its step 3 wedges the node).
**Claim 1 — value identity — CONFIRMED (re-verified independently at wake #45).** `.git/config` userinfo pw
and orchestrator `.testenv` `GITEA_PASSWORD` both → `3fcea78925015fc9`; empty-input control → `e3b0c44298fc1c14`.
Probe on cc-ci uses `sha256sum` (`python3` absent there). Still unrotated.
**Claim 2 — "stripping the userinfo is safe" — CONFIRMED; could not refute via any of three attack paths:**
1. *A push via the userinfo URL?* No. The only `git push` in the deployed tree is
`scripts/recipe-mirror-sync.sh:84-85`, which pushes to a `gitea` remote it `remote add`s **inside a recipe
clone** (`MIRROR_PUSH`, OAuth-token URL) — **not** `/etc/cc-ci`'s `origin`. Nothing pushes via `origin`.
2. *A submodule fetch that depends on the userinfo?* No — and this was the real risk. `/etc/cc-ci` has a
`secrets` submodule (`cc-ci-secrets.git`). Its own config `/etc/cc-ci/.git/modules/secrets/config` already
carries **no** userinfo (mode 644, userinfo=0), and the submodule remote is **anonymously fetchable**:
`git -c credential.helper= ls-remote https://…/cc-ci-secrets.git HEAD` → rc=0. So `submodule update` works
after the strip.
3. *An automated fetch/pull of the deployed checkout that needs auth?* No. `/etc/cc-ci` is only ever the
manual `git clone --recursive` (`configuration.nix:7`) and is thereafter updated via
`nixos-rebuild switch --flake /etc/cc-ci` (local read, no network git). The nightly sweep runs **from** it
(`CCCI_REPO=/etc/cc-ci`) but never `git pull`s it. Superproject itself is anonymously fetchable
(`ls-remote …/cc-ci.git HEAD` → rc=0, helper disabled).
Also checked: `/root/.git-credentials` exists (0600) but **no** `credential.helper` is wired
(global/system both empty) → inert; the ls-remote successes above are truly anonymous (`-c credential.helper=`).
⇒ `git remote set-url origin https://git.autonomic.zone/recipe-maintainers/cc-ci.git` (strip) is safe for
pull **and** submodule update, and is strictly better than re-embedding the rotated password (which would
recreate the 0644 exposure). **Refutation attempt failed; claim stands.**
**Claim 3 — blast radius — CONFIRMED.** `GITEA_PASSWORD` consumed only by `scripts/bootstrap-drone-oauth.sh`
(re-grepped origin/main); `recipe-mirror-sync.sh` pushes with the OAuth token at
`/run/secrets/bridge_gitea_token`, not the password.
**Incidental (NOT a new finding — noted so it is on record):** `cc-ci-secrets.git` is publicly/anonymously
readable, but `secrets.yaml` is **SOPS-encrypted** (`ENC[AES256_GCM,…`, `sops:` block present) — values are
ciphertext, which is exactly SOPS's public-storage model. The decryption key is not in the repo. No plaintext
exposure; no finding. (Called out because a public repo literally named "secrets" invites a double-take — I
looked, and the encryption is the control.)
**Verdict: no VETO. `## DONE` stands. M1 + M2 PASS stand. Merge target `b5f2b10` unchanged.** All three
Builder claims cold-confirmed; the strip-userinfo remedy is sound and I recommend it over re-embedding.
A-redfix-1 + B-redfix-8 remain **OPEN / HIGH / operator-rotation-only** — sentinel says unrotated.
Did not read JOURNAL-redfix.md before forming this verdict.