From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id MAz7IuefUWB5EAAA0tVLHw (envelope-from ) for ; Wed, 17 Mar 2021 06:21:27 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 0ITDHuefUWDEcwAA1q6Kng (envelope-from ) for ; Wed, 17 Mar 2021 06:21:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3597E19E84 for ; Wed, 17 Mar 2021 07:21:27 +0100 (CET) Received: from localhost ([::1]:48474 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMPYb-0000hk-Ka for larch@yhetil.org; Wed, 17 Mar 2021 02:21:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33494) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMPYQ-0000g5-BE for guix-devel@gnu.org; Wed, 17 Mar 2021 02:21:14 -0400 Received: from mail.zaclys.net ([178.33.93.72]:44803) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMPYO-00053b-1B for guix-devel@gnu.org; Wed, 17 Mar 2021 02:21:14 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12H6L9HX044290 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 17 Mar 2021 07:21:09 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12H6L9HX044290 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615962069; bh=L8KgbwLWBkeGjtK/8l1n7WNmLvgSOqNbI+Iri2FcpPo=; h=Subject:From:To:Date:In-Reply-To:References:From; b=kpAo+YQZ6zsUSCFW93XO3dIZP1GqCRhwbjlAHljORQpScAMN5VqHSAqiHWosEOJpR 0zvygwiYU9e5lWZi9BLsIWqUIGht0MHuE0u30daVVDPfvrZaKkPHhoFd7WF0HCHqcL xEwnQnOXF3WLnoC76mgpAUqD6lPycBYmDq2dKrrU= Message-ID: <12c9484b77865e99aee0016303a897738b52ad0e.camel@zaclys.net> Subject: Re: [opinion] CVE-patching is not sufficient for package security patching From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Mark H Weaver , guix-devel@gnu.org Date: Wed, 17 Mar 2021 07:21:04 +0100 In-Reply-To: <87v99qit39.fsf@netris.org> References: <9b9a43a584e2dc70488482fce5931b46abd0e006.camel@zaclys.net> <87v99qit39.fsf@netris.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-nmUvTaF5juIRWzIRHRX0" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615962087; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=L8KgbwLWBkeGjtK/8l1n7WNmLvgSOqNbI+Iri2FcpPo=; b=aiDASsEXFkugLbr7n3QY4KXgKEHbhqAFVcCEx2kbkWhcWBgacki6w7cxmoR6QfGLU9X9HT GYWah9R6YySa02XS5F1n3ExkOFp+RCjetSrk/RKeKo/a5V97xqIQAp5iRitLxHDTYPP74w GlC8kgi++Pu1C6+HTZ7nosJj3YDl6sZZe7rClQjuGaxU5oUyaUmSTZ2XXpSyPc4YKQWtNd bnXWYE+fBF0GTDqq7trXvgzGa/Zil6sFr2jIPkyStgs6S8vQ1wQJD8AdOfqGDokmiNeTAq +5u3bQzNLS8LRBxwuniASY2kudid09rNONutl2V1cj3tMaChHPpSbnKgh9oKCg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615962087; a=rsa-sha256; cv=none; b=hulu+4h1Ojm9NeSl/h1xJerZ0KL+mPs2iiEORwxJUoWjwhi9pyC4rB3+xMJhbDB//H4i1g FGAWjmQhHZu7QFbQ6Yu6AM83DhpVetIwg8BirbNOhVhpUdF8NLzQH76ssVvPg+DbAtwhkS qj0JEJ6AAMCpWQfNX9iPcvFUWIitp0+11bJJDZkE6iqbBWS/1vVTY4ubTUeo6F9Y6OwICv XxrTkvruoez+wSJqviINooVu/HhWghHvKliQEP2CuKkLSN/gqr2H1utTUMhjlfyS0sUjVr 3GqrfgixFLa+q5xDoLRnlE+GaUYO9iQVRFV1S5UQn9eCG0L2jkwDoVEow1BOKQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=kpAo+YQZ; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.20 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=kpAo+YQZ; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 3597E19E84 X-Spam-Score: -5.20 X-Migadu-Scanner: scn0.migadu.com X-TUID: 3ANjwUbjz5gN --=-nmUvTaF5juIRWzIRHRX0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sorry for duplicated email.. On Tue, 2021-03-16 at 19:19 -0400, Mark H Weaver wrote: > If not, it would be good to work toward the goal of making Guix > usable > on non-Intel systems. I'm sorry to say that, in my opinion, your > proposal would move us in the wrong direction to achieve that goal. We have been working with Chris Marusich, Efraim and numerous others on porting GNU Guix to PowerPC 64-bits, I think both are not contradictory. I have a Talos II desktop at home which once GNU Guix works on it will be the main machine I will use to contribute to GNU Guix (along with offloading to other machines for testing on other archs), so count on me to at the same time keep up on GNU Guix and test things on PowerPC 64-bits. I am of course concerned with any blob doing things I don't need (and introducing security risk) under the hood, that's why (along with strong software freedom imaginaries) I pre-ordered my RaptorCS Talos II machine in 2017 and that I have been trying since 2 years to bring PowerPC 64-bits to GNU Guix (also with numerous other folks who joined efforts most recently Chris Marusich who've been enormous help!). But I also want to be realistic that the major security risk in most computers today probably isnt the Intel ME or Intel AMT and that we also can do many other things in the system itself that reduces risk greatly. I'll be honest also, the IBM POWER chips have gotten much less security review than the Intel or AMD chips recently, so it's not because there's not as much security drama on IBM POWER that it doesnt have (maybe even more severe) issues :-) About the overall security of GNU Guix and the things we can do that don't involve keeping a fast-paced rythm to updating packages I see few things, right now GNU Guile is the center of all's GNU Guix security, I am not sure it received lots of security auditing, it's also written in part in a memory-unsafe language that is C, so there's probably some low hanging fruits there once some starts fuzzing it, I'm no big expert in fuzzing but I may try at some point. I think we can do many things complementary, prevention (sandboxing), mitigation (enabling hardening compiler flags, ..), AND code security patching. The first two don't require we keep a fast paced update rythm, also we may do the first two especially because we realize we can't do the latter at all time and I realize that, I just think we should always try to, at least, that's all. I am also a bit concerned with the idea that GNU Guix, GNU Shepherd etc. execute code from arbitrary files in many places, I am not sure all the security details have been reviewed here, it seems risky to me to have configuration files that allow executing arbitrary code, also GNU Guile seems to have a sandboxed evaluation mode, that's good. I like the freedom of arbitrary code evaluation anywhere gives us, but I also want to make sure it's actually secure to do so. L=C3=A9o --=-nmUvTaF5juIRWzIRHRX0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBRn9EACgkQRaix6GvN EKb4uQ//cSFfksjQPTKCB+C3sbzJdHp4LnSdebabxh2rXGXUR8fXFoV8j+piRFbj CBG6D+KHO67OGrBQEPuu88fNUNtoVPaPEBul5VoS5aTt0HPDrtj56KjUeIWFDIC7 y3vHZ0/o4is5xlofuYO0/tXR4RWHp/XcnbwqlHQX+zhkglRF9K+DivHKblmvgeEG fzviy2UQ7Ix2cHRD9+RkIu38jAxlr2kkVUHbV0QH2UbuBPcoiTw3VgKnF5TvEzmr At+9pFQE0kFtQPa8VqihL8cg+kIkWnatZNf1OF6JkWkgdGYKcfrOs5Pu4qjaa7n4 BGT/qdz4zq77pB4bSgAVyAW0Jzekn/zF5bdGoTVZXP5Q8mGJHRQ4StdLVSfy+87x JWYJ4f2q4UnMIX5pJzxvphlccQxN+H5xyE3sAeeVt4YXqs3N1szrHwJwI59XSyTk 1NpSQHlVPc8TWvtqgZ+wNwt3BkRZPMYlgM/o+BVvmyfec6inQCAwGcOycWiZfpSs /NDGjS2VdGvp+mhjg+TMjlTZlD9cFxBu/56VqqTVp1fap/ckVWzMtOUCZnBK/r6P XgDuClcXhYsg7k03auQpn+aBx8ezhs4Jnx2Z80Z2wtOyFqZMUxPgbdLu/PJMcoLx ZSGhVxwVrk5qEh0MV3ENNQa1Hw+tDqaeECXYMwC6S6HxPY9K2ro= =QJe8 -----END PGP SIGNATURE----- --=-nmUvTaF5juIRWzIRHRX0--