From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id uN7SJ0f5U2TqhAEASxT56A (envelope-from ) for ; Thu, 04 May 2023 20:28:23 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id sHPxJkf5U2SSgwEAG6o9tA (envelope-from ) for ; Thu, 04 May 2023 20:28:23 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5776121EBB for ; Thu, 4 May 2023 20:28:23 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pudgZ-0003wU-SO; Thu, 04 May 2023 14:28:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pudgQ-0003lX-Ic for bug-guix@gnu.org; Thu, 04 May 2023 14:28:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pudgQ-0004XL-AI for bug-guix@gnu.org; Thu, 04 May 2023 14:28:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pudgQ-0004oN-6B for bug-guix@gnu.org; Thu, 04 May 2023 14:28:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#62656: broken guix time-machine + software-heritage Resent-From: Simon Tournier Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 04 May 2023 18:28:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62656 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 62656@debbugs.gnu.org, Nicolas Graves Received: via spool by 62656-submit@debbugs.gnu.org id=B62656.168322482918402 (code B ref 62656); Thu, 04 May 2023 18:28:02 +0000 Received: (at 62656) by debbugs.gnu.org; 4 May 2023 18:27:09 +0000 Received: from localhost ([127.0.0.1]:52054 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pudfY-0004mh-QE for submit@debbugs.gnu.org; Thu, 04 May 2023 14:27:09 -0400 Received: from mail-wr1-f49.google.com ([209.85.221.49]:41142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pudfU-0004lo-3i for 62656@debbugs.gnu.org; Thu, 04 May 2023 14:27:07 -0400 Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-3063b921c7eso133533f8f.0 for <62656@debbugs.gnu.org>; Thu, 04 May 2023 11:27:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683224818; x=1685816818; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lSPP4eep8XCFNHkyBdsHRmc9u8xDvlCnNj+Gn0JdCCg=; b=kJglbPCl8MQApimDD395iCe5ai+8e4nOAXArBdj1Ytcmevi+VFqNx6tzHrmdhI27sm UKAaSdMd/qdD2yuBNoilfBkmIQPyxie60J0SGXXEX2zcPbws1nNBwIs4wlwWkyTVZRKk wjmG4GMqwDTd/z+Ze5b+LDS15+Zlnd0BC8aIfXU5n1nsKY1BORWw/GokQSB+Wwc4rU3G t6N7//P0MEkNgaTC3K63OTfH/gycwF21YuNA4RAbuwe0OWJYV8nyFkBXMXVNIYq236MG C+smiw27BF/zoT08lcZH5mPPhHUJWH7kawbLivEEU3+X+AzG4jy24FR31gaWXs7y/nQB JOJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683224818; x=1685816818; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lSPP4eep8XCFNHkyBdsHRmc9u8xDvlCnNj+Gn0JdCCg=; b=Buv+cWC+B4hbnwsnNwEU9u3ya2i3wjfcjOYzEIVyP8CnA1g+ZOVLJ0hEmZno1/jawr gWU6OLZ0UqztWf/Lp8Wdsv8Fh1Ldkwv/QZGLH8gBqxrQKAMY1Xj8ibI0pQtWV1vYo3Tl JckUDRLuq4yNL3ks7uyGiS2/zEEaVflVSxpT5gX1mZB/shn5ayLV7MSD/35rbJz6O9s3 LWFO091MO5XRQoZG+fM/fgJA0fzrybR1u38n1rhrcLouHhROP6wUra4eBmZi3N1LxLrN suk9DVYMsLvxJN2Bzh705cH2JPRePkPHyOrTkjBXTltxZRAsufSIGZvjq2pcPHb46Zz7 m6zw== X-Gm-Message-State: AC+VfDyHHwNnp2LQotjhpCZ5se8qhanT8P1LFZIoPnL5h9Uf5OHTbCJw xff5NW9KBmzyMplQQyz7BIAZbHFfb2k= X-Google-Smtp-Source: ACHHUZ5M6CwOUIgevFOcSctAqfIA2C9AY4bBR3/nfw8ABH7rHD8PMefqzAnbnpV5zI+ivx888pokcg== X-Received: by 2002:adf:ee8e:0:b0:2cf:df6d:6063 with SMTP id b14-20020adfee8e000000b002cfdf6d6063mr7644949wro.2.1683224817963; Thu, 04 May 2023 11:26:57 -0700 (PDT) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id r3-20020adfda43000000b003047ae72b14sm29210076wrl.82.2023.05.04.11.26.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 May 2023 11:26:57 -0700 (PDT) From: Simon Tournier In-Reply-To: <878re4qmaf.fsf@inria.fr> References: <878rf8hch7.fsf@ngraves.fr> <87pm7rx98e.fsf@gnu.org> <87edo49if5.fsf@gmail.com> <87pm7j9o29.fsf@inria.fr> <86edny1uky.fsf@gmail.com> <87bkj0v9w0.fsf@inria.fr> <878re4qmaf.fsf@inria.fr> Date: Thu, 04 May 2023 19:00:28 +0200 Message-ID: <87mt2k821f.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1683224903; a=rsa-sha256; cv=none; b=NCaoheNJFO6ktH50QBUja8WB1xVWS0HZSskzcT+9DL27uA6NnAbgly7+7KIN0ofJz4Gwcc n7U+HsXEUQDOI8cO9iEmdqP+pUZiYnbuyWgGV7QPMFzQRLWPTa7B6HwNTr6bmx0e4+sZNP tgNzbd62+pMr9WwOoSbft4axtWy5x2qzyJvChQur+YznCI0BNmm4nkE8p/IJ5cWYd6s1LA p1AAuRHK0fhAc27joGa9bAGhKHHiqAsMJYC0MInJlbp6VKPrjvoGxrLnx9pZP68Mhsvkpk /xCD2K4YtTTr/L7GyoZnQUmL0x4GtyeNoYztbQhJTaFs/YOAR4bzlimbI7ignA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=kJglbPCl; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1683224903; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=lSPP4eep8XCFNHkyBdsHRmc9u8xDvlCnNj+Gn0JdCCg=; b=fo/5K0hM+EJ++OviFhvhQmuqdbHsCALf1FLsUXlEG1iwkcCStR9LcLYJzahGgtYbkMEnhM 6tIsLNr1ZJAaSyCDDw02potzFj3maUD3+E0630bPTUOX6H1QrpO9uddY4FQRaEKZ6OlrRp iH+YMCfWRZPSPHZw6Ux+6aJ68GAb8Ivshr5YVwp0R7UulDx9sWH9q2XMJzeg8hebH6zbPd LFHxRBtAOVU154iA2eL+M1GQfN88sVB2Fk/fWYQNWePX1Fzzt1fNNwhN54caG/VJB+frK8 W/Jmv2e6B0BUW/L/OlWOzHZVnsQbPnslm9f2mHkRDzh7keGAPELKPkP8N1B28A== X-Migadu-Spam-Score: -1.91 X-Spam-Score: -1.91 X-Migadu-Queue-Id: 5776121EBB X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=kJglbPCl; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-TUID: cxVli2bzn5zO Hi, On jeu., 04 mai 2023 at 15:05, Ludovic Court=C3=A8s wrote: >> Well, I do not see which features will be missing. > > Those mentioned earlier, provenance tracking and downgrade detection in > particular. Do we care about provenance tracking for this scenario? Similarly, do we care about downgrade detection for this scenario? I mean, we are not talking about a regular scenario but as you said a worst-case scenario. Somehow, I am missing where =E2=80=9Csecurity=E2=80=9D (provenance tracking= and downgrade detection) fits in the picture. If tomorrow Savannah is totally down and let assume the malicious Eve is serving https://git.savannah.gnu.org/git/guix.git. The authentication is useless since Eve can easily rewrite it. The only mechanism that protects Alice is the commit SHA-1 hash she has at hand. Eve needs to attack this SHA-1 with some collision. And if it=E2=80=99s possible to pro= duce pre-image attack for SHA-1, then nothing would prevent Eve to also replace the origins of some packages in https://git.savannah.gnu.org/git/guix.git. Moreover, cloning from SWH using git-bare is not protecting neither. Well, you are trusting SWH. Somehow, you have no mean to be sure that the repository you get back from SWH is the one you expect. The only way is to inspect the signatures; it means the end-user knows exactly which gpg key from .guix-authorizations they must trust. Obviously, the former could be injected in the latter. ;-) Noting that SWH heavily relies on SHA-1, IIUC. Yeah, we should talk with SWH=E2=80=99s folks. :-) Cheers, simon