From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SMByEc5zd193SgAA0tVLHw (envelope-from ) for ; Fri, 02 Oct 2020 18:39:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id Wg40Dc5zd1/6PAAAbx9fmQ (envelope-from ) for ; Fri, 02 Oct 2020 18:39:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1D3B49401BD for ; Fri, 2 Oct 2020 18:39:09 +0000 (UTC) Received: from localhost ([::1]:36980 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kOPxU-0008Mb-1w for larch@yhetil.org; Fri, 02 Oct 2020 14:39:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49922) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kOPOY-000110-Er for bug-guix@gnu.org; Fri, 02 Oct 2020 14:03:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59204) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kOPOY-0006I7-4e for bug-guix@gnu.org; Fri, 02 Oct 2020 14:03:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kOPOY-0001od-1M for bug-guix@gnu.org; Fri, 02 Oct 2020 14:03:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#43770: Geeks think securely: VM per Package (trustless state to devs and their apps) Resent-From: bo0od Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Oct 2020 18:03:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 43770 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 43770@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16016617316910 (code B ref -1); Fri, 02 Oct 2020 18:03:01 +0000 Received: (at submit) by debbugs.gnu.org; 2 Oct 2020 18:02:11 +0000 Received: from localhost ([127.0.0.1]:42517 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kOPNj-0001nO-85 for submit@debbugs.gnu.org; Fri, 02 Oct 2020 14:02:11 -0400 Received: from lists.gnu.org ([209.51.188.17]:48390) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kOPNh-0001nG-KX for submit@debbugs.gnu.org; Fri, 02 Oct 2020 14:02:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49722) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kOPNh-0000w4-8a for bug-guix@gnu.org; Fri, 02 Oct 2020 14:02:09 -0400 Received: from mx1.riseup.net ([198.252.153.129]:47078) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kOPNe-0006EP-UV for bug-guix@gnu.org; Fri, 02 Oct 2020 14:02:08 -0400 Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4C2yW040ZPzDsZS for ; Fri, 2 Oct 2020 11:02:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1601661724; bh=mRLVtUzECJGnnR3VeJhsHttItaIpEaUAKC2AKyHKArs=; h=To:From:Subject:Date:From; b=YUCNPbMnU29bQG9XizS4amUULflqAQcAfKtFWy8L0LNgiXFuzpeR5HfBMGOE4t5ZN GH5hdSe45LmedZJq8TnsmekSZFRXSb1Smg9uavMK9ofYI1gCUXCWqLAGfmfuiTIUU6 GtFVaYAMoPHGyd1GCAyo8syDRY0km2G/FxfMSnvw= X-Riseup-User-ID: 5A030F4BF598FBF396A8466259616F1E43ACC427FB32D439AE21B9EA32DA9D75 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 4C2yVz4xz7zJqMr for ; Fri, 2 Oct 2020 11:02:03 -0700 (PDT) From: bo0od Message-ID: <0adb9d2b-22e6-412d-4148-fd032d191b6b@riseup.net> Date: Fri, 2 Oct 2020 18:01:18 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=bo0od@riseup.net; helo=mx1.riseup.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/02 14:02:04 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -2.4 (--) X-Mailman-Approved-At: Fri, 02 Oct 2020 14:39:00 -0400 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=riseup.net header.s=squak header.b=YUCNPbMn; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: edazyclx5PuN Hi There, If we look at current state of packages running inside GNU distros they are in very insecure shape which is either they are installed without sandboxing because the distro doesnt even provide that or no profiles exist for the sandboxing feature and has issues e.g: - Sandboxing can be made through MAC (apparmor,selinux) or Using Namespaces (firejail,bubblewrap) But the problem with using these features it needs a defined/preconfigured profile for each package in order to use them thus making almost impossible case to be applied on every package in real bases. (unless a policy which saying no package is allowed without coming with its own MAC profile, but thats as well has another issue when using third party packages...) - Containers are like OS, and to use it within another OS is like OS in OS i find it crazy and not just that the way that the package gets upgraded is not reliable to be secure so this wont solve our issue as well. To solve this mess, is to use virtualization method and to make that happen is to put each package in a VM by itself means the package gonna use the system resources without being able maliciously gain anything.This provide less trust to developers and their code running within the system. one of the greatest design made in our time towards security is GNU/Linux Qubes OS, it uses OS per VM and has VM to VM communication...etc i highly recommend reading their design to take some ideas from it: https://www.qubes-os.org/doc/ Useful refer: https://wiki.debian.org/UntrustedDebs https://blog.invisiblethings.org/papers/2015/state_harmful.pdf ThX!