From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +Hy1JZSDd1+cPgAA0tVLHw (envelope-from ) for ; Fri, 02 Oct 2020 19:46:28 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id YEZ5IZSDd18EaAAAB5/wlQ (envelope-from ) for ; Fri, 02 Oct 2020 19:46:28 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4356A9402DA for ; Fri, 2 Oct 2020 19:46:27 +0000 (UTC) Received: from localhost ([::1]:33144 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kOR0O-000190-Ui for larch@yhetil.org; Fri, 02 Oct 2020 15:46:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41068) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kOR0D-00018f-VK for bug-guix@gnu.org; Fri, 02 Oct 2020 15:46:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59309) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kOR0D-0001Ts-Lu for bug-guix@gnu.org; Fri, 02 Oct 2020 15:46:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kOR0D-0004H2-Kz for bug-guix@gnu.org; Fri, 02 Oct 2020 15:46:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#43770: Geeks think securely: VM per Package (trustless state to devs and their apps) Resent-From: raingloom Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Oct 2020 19:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43770 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 43770@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.160166790716365 (code B ref -1); Fri, 02 Oct 2020 19:46:01 +0000 Received: (at submit) by debbugs.gnu.org; 2 Oct 2020 19:45:07 +0000 Received: from localhost ([127.0.0.1]:42622 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kOQzL-0004Ft-Ex for submit@debbugs.gnu.org; Fri, 02 Oct 2020 15:45:07 -0400 Received: from lists.gnu.org ([209.51.188.17]:50000) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kOQzI-0004Fj-KB for submit@debbugs.gnu.org; Fri, 02 Oct 2020 15:45:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40740) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kOQzI-0000wA-88 for bug-guix@gnu.org; Fri, 02 Oct 2020 15:45:04 -0400 Received: from mx1.riseup.net ([198.252.153.129]:46152) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kOQzF-0001Bu-2u for bug-guix@gnu.org; Fri, 02 Oct 2020 15:45:03 -0400 Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4C30nk6NmZzDsZf for ; Fri, 2 Oct 2020 12:44:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1601667898; bh=C8iItubBqvpAlbv0o84w7rT8xTksBclSOTj4SghJCys=; h=Date:From:To:Subject:In-Reply-To:References:From; b=pHwBF72bTI2c3sP4mT+nYHUkNM5cTXMA7AjCQ1hVIWPvXzAWZoqRJqf4gMN4wIWlr e3RCE2NM0Jpf4D86W9hw1E93Px1x9+Ftv6Uv0OIhrlMuuPr2seoteu8/IiZIFA9qFW WoDTBlV6x2hCmB+Ly0cd6D2Y4I3d/IFs7OIKksLo= X-Riseup-User-ID: D8A86906E86932CA0F1DE2F0BF7674BEE8B69256EDCFCBCE755B173895A982C6 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 4C30nk14npzJn9L for ; Fri, 2 Oct 2020 12:44:57 -0700 (PDT) Date: Fri, 2 Oct 2020 21:45:14 +0200 From: raingloom Message-ID: <20201002214514.168ee5e1@riseup.net> In-Reply-To: <0adb9d2b-22e6-412d-4148-fd032d191b6b@riseup.net> References: <0adb9d2b-22e6-412d-4148-fd032d191b6b@riseup.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/02 14:02:04 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -2.4 (--) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=riseup.net header.s=squak header.b=pHwBF72b; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: j4aORCpaIb5d On Fri, 2 Oct 2020 18:01:18 +0000 bo0od wrote: > Hi There, > > If we look at current state of packages running inside GNU distros > they are in very insecure shape which is either they are installed > without sandboxing because the distro doesnt even provide that or no > profiles exist for the sandboxing feature and has issues e.g: > > - Sandboxing can be made through MAC (apparmor,selinux) or Using > Namespaces (firejail,bubblewrap) But the problem with using these > features it needs a defined/preconfigured profile for each package in > order to use them thus making almost impossible case to be applied on > every package in real bases. (unless a policy which saying no package > is allowed without coming with its own MAC profile, but thats as well > has another issue when using third party packages...) > > - Containers are like OS, and to use it within another OS is like OS > in OS i find it crazy and not just that the way that the package gets > upgraded is not reliable to be secure so this wont solve our issue as > well. > > To solve this mess, is to use virtualization method and to make that > happen is to put each package in a VM by itself means the package > gonna use the system resources without being able maliciously gain > anything.This provide less trust to developers and their code running > within the system. > > one of the greatest design made in our time towards security is > GNU/Linux Qubes OS, it uses OS per VM and has VM to VM > communication...etc i highly recommend reading their design to take > some ideas from it: > > https://www.qubes-os.org/doc/ There is an even more relevant project being developed in NixOS, but I can't remember its name off the top of my head. My 2 cents is that I'd rather have the option to use packages that are closer to Alpine than having to pay the performance penalty of Qubes. Fewer lines of code => fewer bugs => fewer security holes. > Useful refer: > > https://wiki.debian.org/UntrustedDebs > https://blog.invisiblethings.org/papers/2015/state_harmful.pdf > > ThX! > > >