From mboxrd@z Thu Jan 1 00:00:00 1970 From: zimoun Subject: bug#39575: guix time-machine fails when a tarball was modified in-place Date: Mon, 17 Feb 2020 11:18:22 +0100 Message-ID: References: <87y2t7j54n.fsf@gnu.org> <87eeuy2mua.fsf@gnu.org> <87pnehe0zk.fsf@gnu.org> <878sl47t0q.fsf@gnu.org> <87k14m3iiy.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:58999) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j3dUW-0000Cg-8h for bug-guix@gnu.org; Mon, 17 Feb 2020 05:19:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j3dUV-0004l9-2u for bug-guix@gnu.org; Mon, 17 Feb 2020 05:19:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:60279) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j3dUV-0004l5-0S for bug-guix@gnu.org; Mon, 17 Feb 2020 05:19:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1j3dUU-0003pQ-TC for bug-guix@gnu.org; Mon, 17 Feb 2020 05:19:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87k14m3iiy.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 39575@debbugs.gnu.org, 28659@debbugs.gnu.org Hi Ludo, On Sun, 16 Feb 2020 at 11:59, Ludovic Court=C3=A8s wrote: > zimoun skribis: > > On Fri, 14 Feb 2020 at 22:34, Ludovic Court=C3=A8s wrote= : > >> Also, one could argue that we=E2=80=99d steer users towards downloadin= g from our > >> server, which could be a privacy concern (probably not a strong argume= nt > >> since one can easily change the substitute URLs.) > > > > I am not following the privacy concern. > > What do you mean? > > I mean that by default, someone who=E2=80=99s disabled substitutes (presu= mably > out of security or privacy concerns) would find themself downloading > source code from ci.guix.gnu.org instead of various upstream sites. I do not see the difference between mirroring and traveling back in time with missing upstream sources. And because it is content-addressed, it seems even more secure than downloading from a upstream URL, IMHO. If one trusts Guix, then an attacker needs to corrupt in the same time the Guix history and Berlin (and/or any other farm). If one does not trust Guix, why does they use the recipe coming from Guix? To be precise, this person has to check all the recipes of all the dependencies. Well, I do not see a security concern because we are talking about serving the sources. It is another story when the substitutes serve the results of the build (binaries); because one does not have any strong guarantee that the substitute serves the expected binaries. By privacy concern, do you mean that Guix could collect who downloads what; in a central fashion? Which is not the case when one downloads from several distributed upstream sources. Right? Well, I am not convinced because the case of missing upstream source is rare. And it is easy to protect against such collecting data process. In paranoid mode, traveling back in time is becoming difficult because of the reliability of the sources; I mean if the sources were reliable, SWH would not exist. ;-) The solution should be an IPFS / GNUnet / full distributed archive... which is not ready... yet! :-) Well, maybe for the TODO list of the time-machine: add an option to allow substitutes *only* for the sources (substitutes meaning ci.guix.gnu.org and/or SWH). If this option does not exist yet. ;-) Cheers, simon