From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#39419: On the use of HTTPS for substitute server
Date: Wed, 5 Feb 2020 13:39:24 -0500
Message-ID: <20200205183924.GA11535@jasmine.lan>
References: <87v9ombf5r.fsf@cassou.me>
 <2c0b7fb7-02af-4920-845e-01ac63a8c831@www.fastmail.com>
 <877e11gw52.fsf@cassou.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:54946)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1izPam-0004ES-Pq
 for bug-guix@gnu.org; Wed, 05 Feb 2020 13:40:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1izPal-0003xj-Nt
 for bug-guix@gnu.org; Wed, 05 Feb 2020 13:40:04 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:40742)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1izPal-0003uH-Iv
 for bug-guix@gnu.org; Wed, 05 Feb 2020 13:40:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1izPak-0002pA-Fr
 for bug-guix@gnu.org; Wed, 05 Feb 2020 13:40:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-guix@gnu.org
Resent-Message-ID: <handler.39419.D39419.158092798210823.done@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <877e11gw52.fsf@cassou.me>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
To: Damien Cassou <damien@cassou.me>
Cc: 39419-done@debbugs.gnu.org

On Wed, Feb 05, 2020 at 11:34:49AM +0100, Damien Cassou wrote:
> "Leo Famulari" <leo@famulari.name> writes:
> > So, someone who could MITM as <https://ci.guix.gnu.org> could use their
> > own X.509 certificate and pretend to be that server.
> 
> IIUC, you agree with me that an attacker can't change the content of
> packages but can inspect what a user installs. This seems to contradict
> this paragraph:
> 
> > HTTPS is recommended because communications are encrypted; conversely,
> > using HTTP makes all communications visible to an eavesdropper, who
> > could use the information gathered to determine, for instance, whether
> > your system has unpatched security vulnerabilities.

It is somewhat contradictory.

The server that sends your substitutes knows what substitutes you
request, by definition.

How important is that information, and what tradeoffs are we willing to
make to protect it? Guix protects this information from passive
eavesdroppers but not an active MITM.

The real important thing is, what substitutes are you requesting? This
is based on your Guix code, and we do authenticate the server you
request that from (`guix pull`). The next step is to start using
code-signing there. This is a work in progress.

> If you believe the text is good as it is, please just ignore me and
> close the ticket.

Okay, closed. Please let us know if you think the text can be improved.