unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* “Building a Secure Software Supply Chain with GNU Guix”
@ 2022-06-30 14:13 Ludovic Courtès
  2022-06-30 21:37 ` bokr
                   ` (2 more replies)
  0 siblings, 3 replies; 18+ messages in thread
From: Ludovic Courtès @ 2022-06-30 14:13 UTC (permalink / raw)
  To: guix-devel, guix-science

[-- Attachment #1: Type: text/plain, Size: 955 bytes --]

Hello Guix!

I’m happy to announce the publication of a refereed paper in the
Programming journal:

  https://doi.org/10.22152/programming-journal.org/2023/7/1

It talks about the “secure update” mechanism used for channels and how
it fits together with functional deployment, reproducible builds, and
bootstrapping.  Comments from reviewers showed that explaining the whole
context was important to allow people not familiar with Guix or Nix to
understand why The Update Framework (TUF) isn’t a good match, why
Git{Hub,Lab} “verified” badges aren’t any good, and so on.

What’s presented there is not new if you’ve been following along, but
hopefully it puts things in perspective for outsiders.

I also think that one battle here is to insist on verifiability when a
lot of work about supply chain security goes into “attestation” (with
in-toto, sigstore, Google’s SLSA, and the likes.)

Enjoy!

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 869 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-06-30 14:13 “Building a Secure Software Supply Chain with GNU Guix” Ludovic Courtès
@ 2022-06-30 21:37 ` bokr
  2022-07-01  9:21   ` zimoun
  2022-07-04  7:44   ` Ludovic Courtès
  2022-07-17  7:54 ` Zhu Zihao
  2022-07-19  7:21 ` Arun Isaac
  2 siblings, 2 replies; 18+ messages in thread
From: bokr @ 2022-06-30 21:37 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, guix-science

On +2022-06-30 16:13:10 +0200, Ludovic Courtès wrote:
> Hello Guix!
> 
> I’m happy to announce the publication of a refereed paper in the
> Programming journal:
> 
>   https://doi.org/10.22152/programming-journal.org/2023/7/1
> 
> It talks about the “secure update” mechanism used for channels and how
> it fits together with functional deployment, reproducible builds, and
> bootstrapping.  Comments from reviewers showed that explaining the whole
> context was important to allow people not familiar with Guix or Nix to
> understand why The Update Framework (TUF) isn’t a good match, why
> Git{Hub,Lab} “verified” badges aren’t any good, and so on.
> 
> What’s presented there is not new if you’ve been following along, but
> hopefully it puts things in perspective for outsiders.
> 
> I also think that one battle here is to insist on verifiability when a
> lot of work about supply chain security goes into “attestation” (with
> in-toto, sigstore, Google’s SLSA, and the likes.)
> 
> Enjoy!
> 
> Ludo’.

Congratulations!

And thank you! I needed that assurance that guix really takes trust
seriously, and has a convincing internals story to back it up.

The "artifact" at [1] has a README.md [2] that's IMO definitely
also worth a read even if you aren't going to execute the image.

[1] <https://zenodo.org/record/6581453>
[2] <https://zenodo.org/record/6581453/files/README.md?download=1>

About this example (I like documentation that provides
things you can try):
--8<---------------cut here---------------start------------->8---
  5. Going back to our target revision, we can see that `gpg` can indeed
     verify signatures now: `git checkout
     20303c0b1c75bc4770cdfa8b8c6b33fd6e77c168 && git log --oneline
     --show-signature`.  `gpg` warns about expired keys but, as the
     paper notes, OpenPGP key expiration dates are ignored for our
     purposes (and the authentication code in Guix does *not* use
     `gpg`).
--8<---------------cut here---------------end--------------->8---

I think IWBN to have some kind of trust code come with that git output,
like gpg's 1-5 but indicating how well the committer/signer trusts
that using the code will *not* cause a problem.

I would like it if every commit had to have a code like that.

Even if it was "0," indicating that the committer judged
security to be irrelevant, I'd feel better knowing it was
part of committer workflow to be nudged into thinking
about the security aspect of the commit.

(Code alternative: an answer to the old real-opinon-extractor:
"How much money at what odds will you bet me this 
commit will not cause me problems?" ;-)

<ignorable class=rambling>
Hm, actually I think a 3-digit LTS code is required for reviewing:
with L indicating trust that the contribution is Legally ok,
and  T indicating trust in Technical competence of contributors
snd  S indicating trust in the Social aspect of the contribution crim/saint

OTTOMH encoding: digits 0-9: 0=NO Info, 1-9: subtract 5 =-> -4..+4,
with negatives meaning un-good opposites of positives. So code 191 would
be -4,+4,-4 for e.g.
  L-4: certain to have patent problems,
  T+4: contributed by a professional hacker,
  S-4: known criminal in supply chain.
</ignorable>

--
Regards,
Bengt Richter


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-06-30 21:37 ` bokr
@ 2022-07-01  9:21   ` zimoun
  2022-07-03 10:38     ` Bengt Richter
  2022-07-04  7:44   ` Ludovic Courtès
  1 sibling, 1 reply; 18+ messages in thread
From: zimoun @ 2022-07-01  9:21 UTC (permalink / raw)
  To: bokr, Ludovic Courtès; +Cc: guix-devel, guix-science

Hi Bengt,

On jeu., 30 juin 2022 at 23:37, bokr@bokr.com wrote:

> I think IWBN to have some kind of trust code come with that git output,
> like gpg's 1-5 but indicating how well the committer/signer trusts
> that using the code will *not* cause a problem.

Well, from my understanding, Guix is dealing with 4 sort of code:

 1. Guix recipe of a package
 2. Guix service
 3. Guix itself
 4. Upstream 

I do not think committers are pushing code about #1, #2 or #3 that they
know beforehand it will cause a problem.

Therefore, I do not see how it could be implemented without being rooted
in committer feelings, opinion or self-confidence, i.e., highly variable
from one committer to the other.

The GPG trust level works because it is based on the web of trust.
Here, there is no web, IMHO.

Most of the security issues are from #4.  Considering how hard it is to
find and tackle the security issues, there is only two strategies, IMHO:
do not trust which implies deep audit of distributed source code and so
restrict the set of available packages (it is somehow an OpenBSD
approach); or accept more packages which means somehow trust upstream,
to some extent.


However, all in all, it asks what is expected by the reviewing process,
as discussed [1]. :-)

1: <https://yhetil.org/guix/87r13aifi3.fsf_-_@gnu.org>


Cheers,
simon


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-01  9:21   ` zimoun
@ 2022-07-03 10:38     ` Bengt Richter
  2022-07-04  8:21       ` zimoun
  0 siblings, 1 reply; 18+ messages in thread
From: Bengt Richter @ 2022-07-03 10:38 UTC (permalink / raw)
  To: zimoun; +Cc: Ludovic Courtès, guix-devel, guix-science

Hi Simon, and all,

On +2022-07-01 11:21:43 +0200, zimoun wrote:
> Hi Bengt,
> 
> On jeu., 30 juin 2022 at 23:37, bokr@bokr.com wrote:
> 
> > I think IWBN to have some kind of trust code come with that git output,
> > like gpg's 1-5 but indicating how well the committer/signer trusts
> > that using the code will *not* cause a problem.
> 
> Well, from my understanding, Guix is dealing with 4 sort of code:
> 
>  1. Guix recipe of a package
>  2. Guix service
>  3. Guix itself
>  4. Upstream 
> 
> I do not think committers are pushing code about #1, #2 or #3 that they
> know beforehand it will cause a problem.
>

Hm, -- unless <context-requirements-not-met> ... ? :)

> Therefore, I do not see how it could be implemented without being rooted
> in committer feelings, opinion or self-confidence, i.e., highly variable
> from one committer to the other.
> 
> The GPG trust level works because it is based on the web of trust.
> Here, there is no web, IMHO.
>

Well, guix developers who know each other well "in real life" have a pretty
good web, if not formal, no? :)
It's just not accessible to newcoming outsiders, who can't see the trust
codes in the insiders' heads :)

> Most of the security issues are from #4.  Considering how hard it is to
> find and tackle the security issues, there is only two strategies, IMHO:
> do not trust which implies deep audit of distributed source code and so
> restrict the set of available packages (it is somehow an OpenBSD
> approach); or accept more packages which means somehow trust upstream,
> to some extent.
>

Agreed, #4 is usually the source of security issues.

I'm just looking for some greppable coded hint of the difference between
a package that consists of e.g. a reverse polish calculator homework
assignemnt that a nerdy friend showed how to submit as a package, vs.
e.g. a package where the comments say over 10K subscribers have now been
running this hundreds of times daily for 2 months of beta testing with
no reported problems. Vs. This is alpha stuff, but seems harmless enough
if you run it in a container.

I'm not asking any guarantees, just a professional's quick judgement.
Like a chef's quick opinion on the cantaloupes at the open market. 

This is separate from the issue of whether to include a package under guix.
No blocker if the cantaloupe is not ripe, but helpful to have a sticker
saying so, for those who (for lack of time perhaps) want to order on line
and use grep instead of their nose :)

> 
> However, all in all, it asks what is expected by the reviewing process,
> as discussed [1]. :-)
> 
> 1: <https://yhetil.org/guix/87r13aifi3.fsf_-_@gnu.org>
> 
> 
> Cheers,
> simon

I am not forgetting that I should be thankful for anything I am provided
freely. So thank you all!
--
Regards,
Bengt Richter



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-06-30 21:37 ` bokr
  2022-07-01  9:21   ` zimoun
@ 2022-07-04  7:44   ` Ludovic Courtès
  1 sibling, 0 replies; 18+ messages in thread
From: Ludovic Courtès @ 2022-07-04  7:44 UTC (permalink / raw)
  To: bokr; +Cc: guix-devel, guix-science

Hi,

bokr@bokr.com skribis:

> I think IWBN to have some kind of trust code come with that git output,
> like gpg's 1-5 but indicating how well the committer/signer trusts
> that using the code will *not* cause a problem.
>
> I would like it if every commit had to have a code like that.

I very much agree with what zimoun wrote: it’s very hard to assess the
security implications of a Guix commit (especially a commit that adds,
say, a 100K lines-of-code package), and we shouldn’t ask too much of
packagers.

Ludo’.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-03 10:38     ` Bengt Richter
@ 2022-07-04  8:21       ` zimoun
  2022-07-04 14:56         ` Bengt Richter
  0 siblings, 1 reply; 18+ messages in thread
From: zimoun @ 2022-07-04  8:21 UTC (permalink / raw)
  To: Bengt Richter; +Cc: Ludovic Courtès, guix-devel, guix-science

Hi,

On Sun, 03 Jul 2022 at 12:38, Bengt Richter <bokr@bokr.com> wrote:
>> I do not think committers are pushing code about #1, #2 or #3 that they
>> know beforehand it will cause a problem.
>
> Hm, -- unless <context-requirements-not-met> ... ? :)
>

I do not understand what you mean?

>> The GPG trust level works because it is based on the web of trust.
>> Here, there is no web, IMHO.
>
> Well, guix developers who know each other well "in real life" have a pretty
> good web, if not formal, no? :)

Maybe I miss something.  IIUC, you are proposing to attach a level of
trust to each commit.

If this level for one commit is set by one committer, then the outcome
is poor because this level strongly depends on the committer.  Committer
A could say 0 and committer B would say 3 for the same commit, other
said the level depends on who do the job; therefore it is too dependent
on the committer mood to be useful, security-wise.  In this case, there
is no web of trust.

If this level for one commit is set by more than one committer, then it
is not affordable because it means we are doing double (or more) review
when the project is trying to just deal with merging all the
submissions.  In this case, there is a web of trust.  But it is not
doable considering the rate of commits.


> I'm just looking for some greppable coded hint of the difference between
> a package that consists of e.g. a reverse polish calculator homework
> assignemnt that a nerdy friend showed how to submit as a package, vs.
> e.g. a package where the comments say over 10K subscribers have now been
> running this hundreds of times daily for 2 months of beta testing with
> no reported problems. Vs. This is alpha stuff, but seems harmless enough
> if you run it in a container.

Run OpenBSD. ;-)


> I'm not asking any guarantees, just a professional's quick judgement.
> Like a chef's quick opinion on the cantaloupes at the open market. 

Why this professional's quick judgment should come from the package
manager (packager, reviewer, committer) and not from a community around
the specific software whatever how it is distributed?


Cheers,
simon


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-04  8:21       ` zimoun
@ 2022-07-04 14:56         ` Bengt Richter
  0 siblings, 0 replies; 18+ messages in thread
From: Bengt Richter @ 2022-07-04 14:56 UTC (permalink / raw)
  To: zimoun; +Cc: Ludovic Courtès, guix-devel, guix-science

Hi zimoun,

On +2022-07-04 10:21:13 +0200, zimoun wrote:
> Hi,
> 
> On Sun, 03 Jul 2022 at 12:38, Bengt Richter <bokr@bokr.com> wrote:
> >> I do not think committers are pushing code about #1, #2 or #3 that they
> >> know beforehand it will cause a problem.
> >
> > Hm, -- unless <context-requirements-not-met> ... ? :)
> >
> 
> I do not understand what you mean?
>
I just meant I think I have seen partial fixes committed, noting that it will
only work given some required context, like run time must be x86_64 (or else
"<context-requirements-not-met>" and problem can be expected :)

Sorry for the noise. NNTR  :/
--
Regards,
Bengt Richter


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-06-30 14:13 “Building a Secure Software Supply Chain with GNU Guix” Ludovic Courtès
  2022-06-30 21:37 ` bokr
@ 2022-07-17  7:54 ` Zhu Zihao
  2022-07-18  8:45   ` Ludovic Courtès
  2022-07-19  7:21 ` Arun Isaac
  2 siblings, 1 reply; 18+ messages in thread
From: Zhu Zihao @ 2022-07-17  7:54 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-science, guix-devel

[-- Attachment #1: Type: text/plain, Size: 2203 bytes --]


Good article!

There's still some questions to ask. I'm concerned about the safety of
the evaluation of channel code. IIRC, there's no sandbox for the
evaluation of package in channel. So, it's possible to inject some
side-effect code into a channel like

```
(define-module (my channel code))

(display "I'm planning to do evil things here!")

(define-public some-package ...)
(define-public another-package ...)
```

We have PGP sign and git commit chain to make sure the commits are
committed by trusted people. But it's still possible for the channel
owner to inject malicious code into the channel in a future commit. Like
what Marak Squires did in faker.js project :( or the committer of Guix
was attacked by an evil maid.

In Nix flakes, there's pure evaluation to make sure no side-effectful
code is allowed. But Guix channel is less restricted than a Nix flake.
It's a important problem to make sure the evaluation is safe for the user.


Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> [[PGP Signed Part:Undecided]]
> Hello Guix!
>
> I’m happy to announce the publication of a refereed paper in the
> Programming journal:
>
>   https://doi.org/10.22152/programming-journal.org/2023/7/1
>
> It talks about the “secure update” mechanism used for channels and how
> it fits together with functional deployment, reproducible builds, and
> bootstrapping.  Comments from reviewers showed that explaining the whole
> context was important to allow people not familiar with Guix or Nix to
> understand why The Update Framework (TUF) isn’t a good match, why
> Git{Hub,Lab} “verified” badges aren’t any good, and so on.
>
> What’s presented there is not new if you’ve been following along, but
> hopefully it puts things in perspective for outsiders.
>
> I also think that one battle here is to insist on verifiability when a
> lot of work about supply chain security goes into “attestation” (with
> in-toto, sigstore, Google’s SLSA, and the likes.)
>
> Enjoy!
>
> Ludo’.
>
> [[End of PGP Signed Part]]


-- 
Retrieve my PGP public key:

  gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744

Zihao

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-17  7:54 ` Zhu Zihao
@ 2022-07-18  8:45   ` Ludovic Courtès
  2022-07-18  9:40     ` Zhu Zihao
  2022-07-19 13:53     ` Maxime Devos
  0 siblings, 2 replies; 18+ messages in thread
From: Ludovic Courtès @ 2022-07-18  8:45 UTC (permalink / raw)
  To: Zhu Zihao; +Cc: guix-science, guix-devel

Hi,

Zhu Zihao <all_but_last@163.com> skribis:

> There's still some questions to ask. I'm concerned about the safety of
> the evaluation of channel code. IIRC, there's no sandbox for the
> evaluation of package in channel. So, it's possible to inject some
> side-effect code into a channel like
>
> ```
> (define-module (my channel code))
>
> (display "I'm planning to do evil things here!")
>
> (define-public some-package ...)
> (define-public another-package ...)
> ```

Yes.

> We have PGP sign and git commit chain to make sure the commits are
> committed by trusted people. But it's still possible for the channel
> owner to inject malicious code into the channel in a future commit. Like
> what Marak Squires did in faker.js project :( or the committer of Guix
> was attacked by an evil maid.

I’m not aware of the faker.js story, do you have a link?

The model here is that users trust authorized committers.  When you
think about it, there’s no way around it, because at the end of the day,
you’re installing software that an authorized committer added to the
channel.

To put it differently, side effects in the .scm file as you show above
are just one of the many ways an authorized committer could harm users.

> In Nix flakes, there's pure evaluation to make sure no side-effectful
> code is allowed. But Guix channel is less restricted than a Nix flake.
> It's a important problem to make sure the evaluation is safe for the user.

Yes, I understand.  I don’t think that makes a practical difference
though: when you pull from a Guix channel or fetch a Nix flake, that’s
because you want to install software according to what that
channel/flake provides.  So whether evil code is in the channel/flake
(as Scheme/Nix code) or in the package(s) themselves makes little
difference.

Does that make sense?

(Besides, there’s no mechanism for authenticated updates of flakes or of
Nixpkgs, which is the core of the paper.)

Thanks for your feedback!

Ludo’.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-18  8:45   ` Ludovic Courtès
@ 2022-07-18  9:40     ` Zhu Zihao
  2022-07-18 12:30       ` Ludovic Courtès
  2022-07-19 13:53     ` Maxime Devos
  1 sibling, 1 reply; 18+ messages in thread
From: Zhu Zihao @ 2022-07-18  9:40 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-science, guix-devel

[-- Attachment #1: Type: text/plain, Size: 1746 bytes --]


Ludovic Courtès <ludovic.courtes@inria.fr> writes:

>> We have PGP sign and git commit chain to make sure the commits are
>> committed by trusted people. But it's still possible for the channel
>> owner to inject malicious code into the channel in a future commit. Like
>> what Marak Squires did in faker.js project :( or the committer of Guix
>> was attacked by an evil maid.
>
> I’m not aware of the faker.js story, do you have a link?

https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Here's a detailed report about Marak and faker.js.

>> In Nix flakes, there's pure evaluation to make sure no side-effectful
>> code is allowed. But Guix channel is less restricted than a Nix flake.
>> It's a important problem to make sure the evaluation is safe for the user.
>
> Yes, I understand.  I don’t think that makes a practical difference
> though: when you pull from a Guix channel or fetch a Nix flake, that’s
> because you want to install software according to what that
> channel/flake provides.  So whether evil code is in the channel/flake
> (as Scheme/Nix code) or in the package(s) themselves makes little
> difference.
>
> Does that make sense?

My two cents: When depolying a manifest, we use `guix package -p
<path-to-profile> -m <path-to-manifest>`, This command consists two
parts. Guix will first evaluate the packages specified in the manifest,
and build the profile. And then populate the profile to given
destination. The first part can be done in a sandboxed environment, or a
non-privileged account like "nobody".

-- 
Retrieve my PGP public key:

  gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744

Zihao

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-18  9:40     ` Zhu Zihao
@ 2022-07-18 12:30       ` Ludovic Courtès
  2022-07-18 12:38         ` Ricardo Wurmus
  0 siblings, 1 reply; 18+ messages in thread
From: Ludovic Courtès @ 2022-07-18 12:30 UTC (permalink / raw)
  To: Zhu Zihao; +Cc: guix-science, guix-devel

Hi,

Zhu Zihao <all_but_last@163.com> skribis:

> https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
>
> Here's a detailed report about Marak and faker.js.

Interesting.  But yeah, a Guix committer could change Guix anytime to
print “LIBERTY” (that’s very much the spirit of the project ;-)) or they
could, simply, unwillingly introduce bugs.  No technical mechanism can
prevent that.

>>> In Nix flakes, there's pure evaluation to make sure no side-effectful
>>> code is allowed. But Guix channel is less restricted than a Nix flake.
>>> It's a important problem to make sure the evaluation is safe for the user.
>>
>> Yes, I understand.  I don’t think that makes a practical difference
>> though: when you pull from a Guix channel or fetch a Nix flake, that’s
>> because you want to install software according to what that
>> channel/flake provides.  So whether evil code is in the channel/flake
>> (as Scheme/Nix code) or in the package(s) themselves makes little
>> difference.
>>
>> Does that make sense?
>
> My two cents: When depolying a manifest, we use `guix package -p
> <path-to-profile> -m <path-to-manifest>`, This command consists two
> parts. Guix will first evaluate the packages specified in the manifest,
> and build the profile. And then populate the profile to given
> destination. The first part can be done in a sandboxed environment, or a
> non-privileged account like "nobody".

Sure, though at a technical level is trickier than this, and again, it
doesn’t change the fact that you’ll end up running code provided by the
very same developers.

Thanks,
Ludo’.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-18 12:30       ` Ludovic Courtès
@ 2022-07-18 12:38         ` Ricardo Wurmus
  0 siblings, 0 replies; 18+ messages in thread
From: Ricardo Wurmus @ 2022-07-18 12:38 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Zhu Zihao, guix-devel, guix-science


Ludovic Courtès <ludo@gnu.org> writes:

>> My two cents: When depolying a manifest, we use `guix package -p
>> <path-to-profile> -m <path-to-manifest>`, This command consists two
>> parts. Guix will first evaluate the packages specified in the manifest,
>> and build the profile. And then populate the profile to given
>> destination. The first part can be done in a sandboxed environment, or a
>> non-privileged account like "nobody".
>
> Sure, though at a technical level is trickier than this, and again, it
> doesn’t change the fact that you’ll end up running code provided by the
> very same developers.

It may still be worthwhile adding a few restrictions.  One scenario that
caught me by suprise: deleting files in a snippet.  I forgot quoting the
snippet and ended up running the deletion code on the host side – in my
working directory.  Nothing bad happened and we’ve never committed any
mistake like that to the repository, but it is conceivable that
something like this gets past the review and ends up deleting files.

A safety net would prevent a small mistake like a missing quote from
having potentially large side effects.

Of course, all this is orthogonal to securing the supply chain, which is
what the paper is about.

-- 
Ricardo


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-06-30 14:13 “Building a Secure Software Supply Chain with GNU Guix” Ludovic Courtès
  2022-06-30 21:37 ` bokr
  2022-07-17  7:54 ` Zhu Zihao
@ 2022-07-19  7:21 ` Arun Isaac
  2022-07-19 12:11   ` Ludovic Courtès
  2022-07-19 13:45   ` Maxime Devos
  2 siblings, 2 replies; 18+ messages in thread
From: Arun Isaac @ 2022-07-19  7:21 UTC (permalink / raw)
  To: Ludovic Courtès, guix-devel, guix-science


Hi Ludo,

>   https://doi.org/10.22152/programming-journal.org/2023/7/1

This is an excellent read! Are there plans to release this git
authentication system as a separate tool so that other non-Guix projects
may use it easily?

Thanks,
Arun


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-19  7:21 ` Arun Isaac
@ 2022-07-19 12:11   ` Ludovic Courtès
  2022-07-20  6:17     ` Arun Isaac
  2022-07-19 13:45   ` Maxime Devos
  1 sibling, 1 reply; 18+ messages in thread
From: Ludovic Courtès @ 2022-07-19 12:11 UTC (permalink / raw)
  To: Arun Isaac; +Cc: guix-devel, guix-science

Hi!

Arun Isaac <arunisaac@systemreboot.net> skribis:

> This is an excellent read! Are there plans to release this git
> authentication system as a separate tool so that other non-Guix projects
> may use it easily?

Not really.  ‘guix git authenticate’ is already usable outside and the
modules behind it are well isolated from the rest of Guix though.

  https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix-git-authenticate.html

I don’t plan personally to make it a separately-maintained tool, but it
could be interesting.  More generally, getting in touch with the Git
developers and also with other projects with similar concerns would be
great.

Ludo’.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-19  7:21 ` Arun Isaac
  2022-07-19 12:11   ` Ludovic Courtès
@ 2022-07-19 13:45   ` Maxime Devos
  1 sibling, 0 replies; 18+ messages in thread
From: Maxime Devos @ 2022-07-19 13:45 UTC (permalink / raw)
  To: Arun Isaac, Ludovic Courtès, guix-devel, guix-science

Arun Isaac schreef op di 19-07-2022 om 12:51 [+0530]:
> 
> Hi Ludo,
> 
> >    https://doi.org/10.22152/programming-journal.org/2023/7/1
> 
> This is an excellent read! Are there plans to release this git
> authentication system as a separate tool so that other non-Guix
> projects may use it easily?

FWIW I have been using "guix git authenticate" + .guix-authorizations
in the Git repo of Scheme-GNUnet for letting users verify whether they
got an 'authentic' copy.

Greetings,
Maxime.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-18  8:45   ` Ludovic Courtès
  2022-07-18  9:40     ` Zhu Zihao
@ 2022-07-19 13:53     ` Maxime Devos
  1 sibling, 0 replies; 18+ messages in thread
From: Maxime Devos @ 2022-07-19 13:53 UTC (permalink / raw)
  To: Ludovic Courtès, Zhu Zihao; +Cc: guix-science, guix-devel

Ludovic Courtès schreef op ma 18-07-2022 om 10:45 [+0200]:
> The model here is that users trust authorized committers.  When you
> think about it, there’s no way around it, because at the end of the
> day, you’re installing software that an authorized committer added to
> the channel.

FWIW, something I haven't seen mentioned yet is that the trust problem
could be reduced by some kind of multisig system, where multiple
independent persons would need to sign the commit for it to be
accepted, though that might be technically hard to implement and
probably be too people-time-expensive currently.

Greetings,
Maxime.



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
  2022-07-19 12:11   ` Ludovic Courtès
@ 2022-07-20  6:17     ` Arun Isaac
  0 siblings, 0 replies; 18+ messages in thread
From: Arun Isaac @ 2022-07-20  6:17 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, guix-science


> I don’t plan personally to make it a separately-maintained tool, but it
> could be interesting.  More generally, getting in touch with the Git
> developers and also with other projects with similar concerns would be
> great.

That's good to know, thanks! Yup, git integration would be
great. Meanwhile, interested folks can already use `guix git
authenticate' like Maxime is doing for Scheme-GNUnet.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: “Building a Secure Software Supply Chain with GNU Guix”
@ 2022-07-19  0:35 Jeremiah
  0 siblings, 0 replies; 18+ messages in thread
From: Jeremiah @ 2022-07-19  0:35 UTC (permalink / raw)
  To: rekado; +Cc: guix-devel

This is why things like SELinux exist, combine with separate binaries
for the functionality that impacts things outside of the store to
quickly minimize possible damage. If the binary can only create links
the possible damage is quite limited.

But the much more dangerous modification is much more subtle and can go
months to years without being noticed. To which there is no defense. As
there is no way to know when a person you trust will go crazy, turn evil
or flip the switch they planned many years ago.

Heck, the possible exploits that could be in the bootstrap seeds could
so subtle you wouldn't notice or even hidden in the kernel itself:
https://gitlab.com/bauen1/stage0-backdoor.git

Making reviews by third parties cheap, make forking cheap and never
assuming that anyone should be completely trusted is usually a secure
place to start.

And why the bootstrap seeds README starts with:
NEVER TRUST ANYTHING IN HERE

I could be evil after all

-Jeremiah


^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2022-07-20  6:49 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-30 14:13 “Building a Secure Software Supply Chain with GNU Guix” Ludovic Courtès
2022-06-30 21:37 ` bokr
2022-07-01  9:21   ` zimoun
2022-07-03 10:38     ` Bengt Richter
2022-07-04  8:21       ` zimoun
2022-07-04 14:56         ` Bengt Richter
2022-07-04  7:44   ` Ludovic Courtès
2022-07-17  7:54 ` Zhu Zihao
2022-07-18  8:45   ` Ludovic Courtès
2022-07-18  9:40     ` Zhu Zihao
2022-07-18 12:30       ` Ludovic Courtès
2022-07-18 12:38         ` Ricardo Wurmus
2022-07-19 13:53     ` Maxime Devos
2022-07-19  7:21 ` Arun Isaac
2022-07-19 12:11   ` Ludovic Courtès
2022-07-20  6:17     ` Arun Isaac
2022-07-19 13:45   ` Maxime Devos
2022-07-19  0:35 Jeremiah

Code repositories for project(s) associated with this inbox:

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).