From: Simon Tournier <zimon.toutoune@gmail.com>
To: "Ludovic Courtès" <ludovic.courtes@inria.fr>
Cc: 62656@debbugs.gnu.org, Nicolas Graves <ngraves@ngraves.fr>
Subject: bug#62656: broken guix time-machine + software-heritage
Date: Thu, 04 May 2023 19:00:28 +0200 [thread overview]
Message-ID: <87mt2k821f.fsf@gmail.com> (raw)
In-Reply-To: <878re4qmaf.fsf@inria.fr>
Hi,
On jeu., 04 mai 2023 at 15:05, Ludovic Courtès <ludovic.courtes@inria.fr> wrote:
>> Well, I do not see which features will be missing.
>
> Those mentioned earlier, provenance tracking and downgrade detection in
> particular.
Do we care about provenance tracking for this scenario? Similarly, do
we care about downgrade detection for this scenario?
I mean, we are not talking about a regular scenario but as you said a
worst-case scenario.
Somehow, I am missing where “security” (provenance tracking and
downgrade detection) fits in the picture.
If tomorrow Savannah is totally down and let assume the malicious Eve is
serving https://git.savannah.gnu.org/git/guix.git. The authentication
is useless since Eve can easily rewrite it. The only mechanism that
protects Alice is the commit SHA-1 hash she has at hand. Eve needs to
attack this SHA-1 with some collision. And if it’s possible to produce
pre-image attack for SHA-1, then nothing would prevent Eve to also
replace the origins of some packages in
https://git.savannah.gnu.org/git/guix.git.
Moreover, cloning from SWH using git-bare is not protecting neither.
Well, you are trusting SWH. Somehow, you have no mean to be sure that
the repository you get back from SWH is the one you expect. The only
way is to inspect the signatures; it means the end-user knows exactly
which gpg key from .guix-authorizations they must trust.
Obviously, the former could be injected in the latter. ;-) Noting that
SWH heavily relies on SHA-1, IIUC.
Yeah, we should talk with SWH’s folks. :-)
Cheers,
simon
next prev parent reply other threads:[~2023-05-04 18:28 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 21:39 bug#62656: broken guix time-machine + software-heritage Nicolas Graves via Bug reports for GNU Guix
2023-04-04 10:51 ` Simon Tournier
2023-04-26 9:50 ` Ludovic Courtès
2023-04-26 10:01 ` Ludovic Courtès
2023-10-24 13:23 ` Simon Tournier
2023-04-28 14:43 ` Simon Tournier
2023-05-02 7:42 ` Ludovic Courtès
2023-05-02 18:01 ` Simon Tournier
2023-05-04 7:22 ` Ludovic Courtès
2023-05-04 7:57 ` Simon Tournier
2023-05-04 13:05 ` Ludovic Courtès
2023-05-04 17:00 ` Simon Tournier [this message]
2023-05-05 7:36 ` Ludovic Courtès
2024-02-04 13:03 ` bug#62656: close 62656 Nicolas Graves via Bug reports for GNU Guix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mt2k821f.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=62656@debbugs.gnu.org \
--cc=ludovic.courtes@inria.fr \
--cc=ngraves@ngraves.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).