unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
@ 2023-02-04 18:19 Daniel Mendler
  2023-02-05 11:19 ` Ihor Radchenko
  2023-02-07  3:56 ` Richard Stallman
  0 siblings, 2 replies; 16+ messages in thread
From: Daniel Mendler @ 2023-02-04 18:19 UTC (permalink / raw)
  To: 61277; +Cc: yantar92, stefan, monnier

As discussed on emacs-devel it would be good if ELPA security could be
improved, preventing potential breaches on the side of the source
repository. This feature becomes more relevant the more packages are
:auto-sync'ed from their source repository.

My git commits are usually signed, so one could check the signature of
each commit which leads to a package build. This feature could be opt-in
for now, enabled via an attribute :signature in the elpa-packages
configuration. Maybe elpa-packages could store the fingerprint(s) of the
expected GPG key(s)?

In the case of a breach, both the SSH and GPG keys may be stolen, which
would allow an attacker to create commits on hosted repositories, such
that the mechanism would not help. However the source repository may
also get compromised via other vectors.

https://lists.gnu.org/archive/html/emacs-devel/2023-02/msg00120.html





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-04 18:19 bug#61277: FR: ELPA security - Restrict package builds to signed git commits Daniel Mendler
@ 2023-02-05 11:19 ` Ihor Radchenko
  2023-02-07  3:56 ` Richard Stallman
  1 sibling, 0 replies; 16+ messages in thread
From: Ihor Radchenko @ 2023-02-05 11:19 UTC (permalink / raw)
  To: Daniel Mendler; +Cc: 61277, stefan, monnier

Daniel Mendler <mail@daniel-mendler.de> writes:

> My git commits are usually signed, so one could check the signature of
> each commit which leads to a package build. This feature could be opt-in
> for now, enabled via an attribute :signature in the elpa-packages
> configuration. Maybe elpa-packages could store the fingerprint(s) of the
> expected GPG key(s)?

I think that requiring every single commit to be signed is an overkill.
Maybe just the release tags?

I guess, :signature, if optional, may allow multiple levels of
verification:
1. nil :: no verification
2. (tags key1 key2 ...) :: verify release tags to match any of the
   listed GPG keys
3. (commits key1 key2 ...) :: verify every commit   

I am not sure what would be the most reliable way to specify the keys.

Also, people with write access to ELPA repo may be required to sign
their commits -- in the case of security breach if the SSH key gets
stolen, signing may be a barrier to protect altering the elpa-packages
configuration from injecting malicious GPG keys.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-04 18:19 bug#61277: FR: ELPA security - Restrict package builds to signed git commits Daniel Mendler
  2023-02-05 11:19 ` Ihor Radchenko
@ 2023-02-07  3:56 ` Richard Stallman
  2023-02-07 11:44   ` Ihor Radchenko
                     ` (2 more replies)
  1 sibling, 3 replies; 16+ messages in thread
From: Richard Stallman @ 2023-02-07  3:56 UTC (permalink / raw)
  To: Daniel Mendler; +Cc: 61277, stefan, yantar92, monnier

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > As discussed on emacs-devel it would be good if ELPA security could be
  > improved, preventing potential breaches on the side of the source
  > repository. This feature becomes more relevant the more packages are
  > :auto-sync'ed from their source repository.

I agree that we need to clean up the social system for maintaining GNU ELPA
packages.  It should be as clear and documented as that for Emacs core.

  > My git commits are usually signed, so one could check the signature of
  > each commit which leads to a package build. This feature could be opt-in
  > for now, enabled via an attribute :signature in the elpa-packages
  > configuration. Maybe elpa-packages could store the fingerprint(s) of the
  > expected GPG key(s)?

What do other maintainers think of this?

It addresses one ways of handlng GNU ELPA packagesm, but not all GNU
ELPA packages are handled in this way.  What other categories of
packages do we need to consider?

  > In the case of a breach,

Breach of precisely what?  To think about this issue
requires an answer to that question.

                             both the SSH and GPG keys may be stolen, which
  > would allow an attacker to create commits on hosted repositories, such
  > that the mechanism would not help. However the source repository may
  > also get compromised via other vectors.

Is this a problem that has a solution?

Should we move this to emacs-devel?  A specific bug ticket
is not the right place for such an important topic.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)







^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-07  3:56 ` Richard Stallman
@ 2023-02-07 11:44   ` Ihor Radchenko
  2023-02-07 12:40     ` Eli Zaretskii
  2023-02-09  4:28     ` Richard Stallman
  2023-02-07 12:10   ` Eli Zaretskii
  2023-02-12  6:37   ` Stefan Kangas
  2 siblings, 2 replies; 16+ messages in thread
From: Ihor Radchenko @ 2023-02-07 11:44 UTC (permalink / raw)
  To: rms; +Cc: Daniel Mendler, 61277, stefan, monnier

Richard Stallman <rms@gnu.org> writes:

> Should we move this to emacs-devel?  A specific bug ticket
> is not the right place for such an important topic.

This was explicitly requested to be made into a bug ticket on
emacs-devel. See
https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-07  3:56 ` Richard Stallman
  2023-02-07 11:44   ` Ihor Radchenko
@ 2023-02-07 12:10   ` Eli Zaretskii
  2023-02-12  6:37   ` Stefan Kangas
  2 siblings, 0 replies; 16+ messages in thread
From: Eli Zaretskii @ 2023-02-07 12:10 UTC (permalink / raw)
  To: rms; +Cc: mail, 61277, stefan, yantar92, monnier

> Cc: 61277@debbugs.gnu.org, stefan@marxist.se, yantar92@posteo.net,
>  monnier@iro.umontreal.ca
> From: Richard Stallman <rms@gnu.org>
> Date: Mon, 06 Feb 2023 22:56:35 -0500
> 
>   > My git commits are usually signed, so one could check the signature of
>   > each commit which leads to a package build. This feature could be opt-in
>   > for now, enabled via an attribute :signature in the elpa-packages
>   > configuration. Maybe elpa-packages could store the fingerprint(s) of the
>   > expected GPG key(s)?
> 
> What do other maintainers think of this?

I don't have an opinion.  Frankly, I don't really understand what
would signing commits give in this regard, given that people who
install a package normally install a tarball, they don't clone the Git
repository.  I also don't think the goals were stated clearly, so it's
hard to reason about this.  But then I'm nowhere near being an expert
on this stuff, so I could easily miss something important.

> Should we move this to emacs-devel?  A specific bug ticket
> is not the right place for such an important topic.

Agreed.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-07 11:44   ` Ihor Radchenko
@ 2023-02-07 12:40     ` Eli Zaretskii
  2023-02-09  4:28     ` Richard Stallman
  1 sibling, 0 replies; 16+ messages in thread
From: Eli Zaretskii @ 2023-02-07 12:40 UTC (permalink / raw)
  To: Ihor Radchenko; +Cc: mail, 61277, stefan, rms, monnier

> Cc: Daniel Mendler <mail@daniel-mendler.de>, 61277@debbugs.gnu.org,
>  stefan@marxist.se, monnier@iro.umontreal.ca
> From: Ihor Radchenko <yantar92@posteo.net>
> Date: Tue, 07 Feb 2023 11:44:31 +0000
> 
> Richard Stallman <rms@gnu.org> writes:
> 
> > Should we move this to emacs-devel?  A specific bug ticket
> > is not the right place for such an important topic.
> 
> This was explicitly requested to be made into a bug ticket on
> emacs-devel. See
> https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com

The bug report is OK, but we want to discuss more general issues, I
think.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-07 11:44   ` Ihor Radchenko
  2023-02-07 12:40     ` Eli Zaretskii
@ 2023-02-09  4:28     ` Richard Stallman
  2023-02-09 12:07       ` Ihor Radchenko
  1 sibling, 1 reply; 16+ messages in thread
From: Richard Stallman @ 2023-02-09  4:28 UTC (permalink / raw)
  To: Ihor Radchenko; +Cc: mail, 61277, stefan, monnier

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

I wrote:

  > > Should we move this to emacs-devel?  A specific bug ticket
  > > is not the right place for such an important topic.

You replied:

  > This was explicitly requested to be made into a bug ticket on
  > emacs-devel. See
  > https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com

I looked at that URL but I can't understand what it says.  I see
several ways to parse "This was explicitly requested to be made into a
bug ticket on emacs-devel" so I don't know what it means.  Can you
state your point more explicitly and not tersely?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)







^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-09  4:28     ` Richard Stallman
@ 2023-02-09 12:07       ` Ihor Radchenko
  2023-02-12  4:04         ` Richard Stallman
  0 siblings, 1 reply; 16+ messages in thread
From: Ihor Radchenko @ 2023-02-09 12:07 UTC (permalink / raw)
  To: rms; +Cc: mail, 61277, stefan, monnier

Richard Stallman <rms@gnu.org> writes:

>   > This was explicitly requested to be made into a bug ticket on
>   > emacs-devel. See
>   > https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com
>
> I looked at that URL but I can't understand what it says.  I see
> several ways to parse "This was explicitly requested to be made into a
> bug ticket on emacs-devel" so I don't know what it means.  Can you
> state your point more explicitly and not tersely?

I meant that Daniel submitted this bug ticket after Stefan's message
stating that

>>>   I think we should add some flag to the build system saying that a
>>>   package should only be released if the new tag has a valid signature...
>>>
>>>   IMO, opening a feature request for this in the bug tracker would be
>>>   useful.  A patch would be even better.

The emacs-devel discussion that includes the topic of this FR has been
started earlier in the thread I linked to. So, there is no need to move
this FR to emacs-devel - it is already being discussed there.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-09 12:07       ` Ihor Radchenko
@ 2023-02-12  4:04         ` Richard Stallman
  0 siblings, 0 replies; 16+ messages in thread
From: Richard Stallman @ 2023-02-12  4:04 UTC (permalink / raw)
  To: Ihor Radchenko; +Cc: mail, 61277, stefan, monnier

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > I looked at that URL but I can't understand what it says.  I see
  > > several ways to parse "This was explicitly requested to be made into a
  > > bug ticket on emacs-devel" so I don't know what it means.  Can you
  > > state your point more explicitly and not tersely?

  > I meant that Daniel submitted this bug ticket after Stefan's message
  > stating that

  > >>>   I think we should add some flag to the build system saying that a
  > >>>   package should only be released if the new tag has a valid signature...
  > >>>
  > >>>   IMO, opening a feature request for this in the bug tracker would be
  > >>>   useful.  A patch would be even better.

Now I think I understand.

Thanks, Daniel.  That was a useful thing to do.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)







^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-07  3:56 ` Richard Stallman
  2023-02-07 11:44   ` Ihor Radchenko
  2023-02-07 12:10   ` Eli Zaretskii
@ 2023-02-12  6:37   ` Stefan Kangas
  2023-02-12 10:32     ` Daniel Mendler
  2023-02-15  5:17     ` Richard Stallman
  2 siblings, 2 replies; 16+ messages in thread
From: Stefan Kangas @ 2023-02-12  6:37 UTC (permalink / raw)
  To: rms, Daniel Mendler; +Cc: 61277, yantar92, monnier

Richard Stallman <rms@gnu.org> writes:

>   > In the case of a breach,
>
> Breach of precisely what?  To think about this issue
> requires an answer to that question.

The idea is that the likelihood of both an SSH and a PGP key getting
stolen at the same time is lower than either one of them getting stolen
separately.

>
>                              both the SSH and GPG keys may be stolen, which
>   > would allow an attacker to create commits on hosted repositories, such
>   > that the mechanism would not help.
>
> Is this a problem that has a solution?

Yes, for example you could you could put your PGP key (usually a subkey)
on a smartcard, and have no copy on the local filesystem.

PGP keys usually also have an additional password, in addition to the
one that developers normally (we hope) use for their SSH key.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-12  6:37   ` Stefan Kangas
@ 2023-02-12 10:32     ` Daniel Mendler
  2023-02-15  5:17       ` Richard Stallman
  2023-02-15  5:17     ` Richard Stallman
  1 sibling, 1 reply; 16+ messages in thread
From: Daniel Mendler @ 2023-02-12 10:32 UTC (permalink / raw)
  To: Stefan Kangas, rms; +Cc: 61277, yantar92, monnier

On 2/12/23 07:37, Stefan Kangas wrote:
>> Breach of precisely what?  To think about this issue
>> requires an answer to that question.
> 
> The idea is that the likelihood of both an SSH and a PGP key getting
> stolen at the same time is lower than either one of them getting stolen
> separately.

There could also be a breach on the server where the git repository is
hosted. The repository could be manipulated directly on the server. It
is not that likely but if such incidents happen they have a huge
fallout. I also expect that more and more people move their
:auto-sync'ed git repositories to private servers or smaller forges,
which may not be as protected as the most popular ones.

Daniel





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-12  6:37   ` Stefan Kangas
  2023-02-12 10:32     ` Daniel Mendler
@ 2023-02-15  5:17     ` Richard Stallman
  2023-02-15 13:37       ` Stefan Kangas
  1 sibling, 1 reply; 16+ messages in thread
From: Richard Stallman @ 2023-02-15  5:17 UTC (permalink / raw)
  To: Stefan Kangas; +Cc: mail, 61277, yantar92, monnier

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > >   > In the case of a breach,
  > >
  > > Breach of precisely what?  To think about this issue
  > > requires an answer to that question.

  > The idea is that the likelihood of both an SSH and a PGP key getting
  > stolen at the same time is lower than either one of them getting stolen
  > separately.

That seems plausible to me, but we are miscommunicating.
You're discussing the "how" of a possible breach,
but what I really need to know is the "what".
What is being breached?  What is the context here?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)







^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-12 10:32     ` Daniel Mendler
@ 2023-02-15  5:17       ` Richard Stallman
  0 siblings, 0 replies; 16+ messages in thread
From: Richard Stallman @ 2023-02-15  5:17 UTC (permalink / raw)
  To: Daniel Mendler; +Cc: 61277, yantar92, stefankangas, monnier

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > There could also be a breach on the server where the git repository is
  > hosted. The repository could be manipulated directly on the server. It
  > is not that likely but if such incidents happen they have a huge
  > fallout. I also expect that more and more people move their
  > :auto-sync'ed git repositories to private servers or smaller forges,
  > which may not be as protected as the most popular ones.

Do we know of any security experts who appeciate the moral principles
of free software, who could help us come up with methods that properly
handle both?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)







^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-15  5:17     ` Richard Stallman
@ 2023-02-15 13:37       ` Stefan Kangas
  2023-02-15 16:40         ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
  2023-02-26  2:59         ` Richard Stallman
  0 siblings, 2 replies; 16+ messages in thread
From: Stefan Kangas @ 2023-02-15 13:37 UTC (permalink / raw)
  To: rms; +Cc: mail, 61277, yantar92, monnier

Richard Stallman <rms@gnu.org> writes:

> You're discussing the "how" of a possible breach,
> but what I really need to know is the "what".
> What is being breached?  What is the context here?

The "what" is the git repository of a GNU ELPA or NonGNU ELPA package.

If an attacker can introduce a commit containing malicious code, and
create a new git tag pointing to that commit, the GNU ELPA scripts will
fetch it, and release a new version of the package (now including the
malicious code).  By requiring tags to be cryptographically signed, we
can have a greater confidence that any new tag has at the very least
been signed off by the developer him/herself.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-15 13:37       ` Stefan Kangas
@ 2023-02-15 16:40         ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
  2023-02-26  2:59         ` Richard Stallman
  1 sibling, 0 replies; 16+ messages in thread
From: Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2023-02-15 16:40 UTC (permalink / raw)
  To: Stefan Kangas; +Cc: mail, 61277, yantar92, rms

> If an attacker can introduce a commit containing malicious code, and
> create a new git tag pointing to that commit, the GNU ELPA scripts will
> fetch it, and release a new version of the package (now including the
> malicious code).  By requiring tags to be cryptographically signed, we
> can have a greater confidence that any new tag has at the very least
> been signed off by the developer him/herself.

Technical nitpick: currently, the elpa.gnu.org scripts do not pay
attention to any Git tags (signed or not) to do their work.  We only use
the commits and their contents/history.


        Stefan






^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#61277: FR: ELPA security - Restrict package builds to signed git commits
  2023-02-15 13:37       ` Stefan Kangas
  2023-02-15 16:40         ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2023-02-26  2:59         ` Richard Stallman
  1 sibling, 0 replies; 16+ messages in thread
From: Richard Stallman @ 2023-02-26  2:59 UTC (permalink / raw)
  To: Stefan Kangas; +Cc: mail, 61277, yantar92, monnier

Please forgive my delay in replying.

  > If an attacker can introduce a commit containing malicious code, and
  > create a new git tag pointing to that commit, the GNU ELPA scripts will
  > fetch it, and release a new version of the package (now including the
  > malicious code).  By requiring tags to be cryptographically signed, we
  > can have a greater confidence that any new tag has at the very least
  > been signed off by the developer him/herself.

This seems wise to me.  Does anyone have arguments against?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)







^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2023-02-26  2:59 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-04 18:19 bug#61277: FR: ELPA security - Restrict package builds to signed git commits Daniel Mendler
2023-02-05 11:19 ` Ihor Radchenko
2023-02-07  3:56 ` Richard Stallman
2023-02-07 11:44   ` Ihor Radchenko
2023-02-07 12:40     ` Eli Zaretskii
2023-02-09  4:28     ` Richard Stallman
2023-02-09 12:07       ` Ihor Radchenko
2023-02-12  4:04         ` Richard Stallman
2023-02-07 12:10   ` Eli Zaretskii
2023-02-12  6:37   ` Stefan Kangas
2023-02-12 10:32     ` Daniel Mendler
2023-02-15  5:17       ` Richard Stallman
2023-02-15  5:17     ` Richard Stallman
2023-02-15 13:37       ` Stefan Kangas
2023-02-15 16:40         ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-02-26  2:59         ` Richard Stallman

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).