From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.bugs
Subject: bug#19479: Package manager vulnerable to replay attacks
Date: Wed, 25 Nov 2020 19:43:29 -0500
Message-ID: <jwvsg8xc65z.fsf-monnier+emacs@gnu.org>
References: <OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local>
 <CADwFkm=XOkXyZB+SQut4wUq=cJDOyqjfnO3fPk_sG_UK+3qSFA@mail.gmail.com>
 <CADwFkm=LjmqwyJLF=JbxD81JM782WV=-A5-PVHi9u0OBZ-ncHQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="17322"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
Cc: 19479@debbugs.gnu.org, Noam Postavsky <npostavs@gmail.com>
To: Stefan Kangas <stefan@marxist.se>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Nov 26 01:44:13 2020
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1ki5OO-0004Q3-J3
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 26 Nov 2020 01:44:12 +0100
Original-Received: from localhost ([::1]:41790 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1ki5ON-0007vr-9c
	for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 25 Nov 2020 19:44:11 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48644)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1ki5OE-0007vX-79
 for bug-gnu-emacs@gnu.org; Wed, 25 Nov 2020 19:44:02 -0500
Original-Received: from debbugs.gnu.org ([209.51.188.43]:54215)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1ki5OD-0000Nr-Vq
 for bug-gnu-emacs@gnu.org; Wed, 25 Nov 2020 19:44:01 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ki5OD-0001qj-Tc
 for bug-gnu-emacs@gnu.org; Wed, 25 Nov 2020 19:44:01 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Stefan Monnier <monnier@iro.umontreal.ca>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 26 Nov 2020 00:44:01 +0000
Resent-Message-ID: <handler.19479.B19479.16063514247077@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 19479
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.16063514247077
 (code B ref 19479); Thu, 26 Nov 2020 00:44:01 +0000
Original-Received: (at 19479) by debbugs.gnu.org; 26 Nov 2020 00:43:44 +0000
Original-Received: from localhost ([127.0.0.1]:37528 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1ki5Nv-0001q5-Lq
 for submit@debbugs.gnu.org; Wed, 25 Nov 2020 19:43:43 -0500
Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:58606)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@iro.umontreal.ca>) id 1ki5Nu-0001pt-2M
 for 19479@debbugs.gnu.org; Wed, 25 Nov 2020 19:43:42 -0500
Original-Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 637FD80853;
 Wed, 25 Nov 2020 19:43:36 -0500 (EST)
Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id A06768088B;
 Wed, 25 Nov 2020 19:43:30 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1606351410;
 bh=e+pj/tDOG3iI8opcS3UXAhMwYQMRCQK9YCKoV0xvGOI=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=ZpMX5iL/Klqdu1fNiUYlAygV5YXPLA1ls2BCQGmJ0EulF3kjyx48xhaUUhX76yopV
 3e91956H9Dm/3oeg4kQjuKtggKVEfYDv3aKw9BjA34Hu26T8ajj/xjwRS6kbQzXZz/
 2MqOmvMInb0wzGHXFX7N145QjcAPN/J+q2jFYAFdgyjmwD4ZYnGv88+wyJ2sPbcBBJ
 ViQCfRxG9y2Z6gfVk4PKHFy3I8BS8gKOmXW9Q5n01lf+/C1+n5swbvzt3w7+UWhHHN
 UOsf61Z31Wp3tQYDtVBUcDVutSFJ1rouwEHBilQsArJK8CHRnujWH77TXmYJ288Yng
 TiuG3/OCyEL6w==
Original-Received: from alfajor (69-165-136-52.dsl.teksavvy.com [69.165.136.52])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 41CAE120387;
 Wed, 25 Nov 2020 19:43:30 -0500 (EST)
In-Reply-To: <CADwFkm=LjmqwyJLF=JbxD81JM782WV=-A5-PVHi9u0OBZ-ncHQ@mail.gmail.com>
 (Stefan Kangas's message of "Sat, 21 Nov 2020 15:51:28 -0800")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:194249
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/194249>

> I have just pushed the branch scratch/package-security with proper
> support for timestamps, as discussed below.  More details are in the
> commit messages and the proposed documentation changes.  Once this is
> merged, I hope to work on adding support for this to both GNU ELPA and
> NonGNU ELPA.

Do we need this hash-checksum, really?

AFAICT, I think if we want to avoid replay attacks we need indeed
a monotone "counter" (e.g. a timestamp) on the `archive-contents` and
then a way to verify that the tarballs are what they claim to be.

We can already verify that they are what they claim to be since the
tarball includes the version number inside the `<pkg>-pkg.el` file.

So, I think all we need is to verify the contents of `<pkg>-pkg.el`
after unpacking a tarball, to make sure it is indeed the package and
version its name claimed to be.  This check would be welcome in any case
to detect packaging errors.


        Stefan