From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id uPFcDYvhRF8sPwAA0tVLHw (envelope-from ) for ; Tue, 25 Aug 2020 10:01:47 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 2E8fCYvhRF+9bgAAbx9fmQ (envelope-from ) for ; Tue, 25 Aug 2020 10:01:47 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AC2599408DB for ; Tue, 25 Aug 2020 10:01:46 +0000 (UTC) Received: from localhost ([::1]:57042 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kAVlx-0005Bz-FI for larch@yhetil.org; Tue, 25 Aug 2020 06:01:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49250) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kAVlp-0005Ac-6n for guix-devel@gnu.org; Tue, 25 Aug 2020 06:01:37 -0400 Received: from flashner.co.il ([178.62.234.194]:42224) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kAVln-0002X4-EC; Tue, 25 Aug 2020 06:01:36 -0400 Received: from localhost (unknown [31.210.181.177]) by flashner.co.il (Postfix) with ESMTPSA id F19C940488; Tue, 25 Aug 2020 10:01:32 +0000 (UTC) Date: Tue, 25 Aug 2020 13:01:00 +0300 From: Efraim Flashner To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Securing the software distribution chain Message-ID: <20200825100100.GC979@E5400> References: <87blk6wkug.fsf@europa.jade-hamburg.de> <87ime9w23i.fsf@gnu.org> <87lfj0ujkk.fsf@europa.jade-hamburg.de> <87blj02jrt.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="a2FkP9tdjPU2nyhF" Content-Disposition: inline In-Reply-To: <87blj02jrt.fsf@gnu.org> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=178.62.234.194; envelope-from=efraim@flashner.co.il; helo=flashner.co.il X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/25 05:46:18 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -2.61 X-TUID: dgIKSXN7twvt --a2FkP9tdjPU2nyhF Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 24, 2020 at 04:36:22PM +0200, Ludovic Court=C3=A8s wrote: > Hi! >=20 > Justus Winter skribis: >=20 > > Ludovic Court=C3=A8s writes: >=20 > [...] >=20 > We can introduce signature verification in (guix download): every time > code is downloaded and signature metadata is available, we verify its > signature. Unfortunately, I=E2=80=99m afraid this is likely to lead to l= ots of > false positives, and in particular failure to retrieve the OpenPGP key. >=20 > WDYT? Where would you integrate that? >=20 Debian does sometimes add a public gpg key or the tarball signature inside their debian folder. Not exactly sure how that would map for us though. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --a2FkP9tdjPU2nyhF Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl9E4VkACgkQQarn3Mo9 g1E+1g//XZJBs0tBPbXJMoC+L9tXV/svo536xuqYiuQMVr+Bjh0nYtG5ZrEKBvwU dVMZQfMMzf/uxIKe+sFrqzXYklLVNpxlDzMQEaKkIQKDKHfbAAFY5wuDvf47Ac1h 3Co7NcetAmMQXp25Wl4nBKrIPKKeqOAh9GsfyOugJUexyivBoX/5zkH/msh23I/h 748zpRVLu2jMKeMmFvLSyiNyno+A4MEAtrzu8lIRo4vUJbIaPxqnf59uzKLXlhjy Y96p7nwb9G8g0RWF2H+INovaQZ89EUvWOMciwfHt4Z4ZDWcZwHXTX/Z1ldzXzOOe tVJMRopPXqgIw410hpwt9svvo6iRx/6b8BHb4CCT3INQKaU5yHh5NRNecOfMbe2f smYAwQDwST6Cdp8Aorp4xzizhbitLa60W+tb9ssy84fl1K2/tm2daTgfvdCwEpFa Z2+AscLjNXliUxLNzmf6AijwZShSlNa+oqrSbw0lkGcf8x9TMjC0JSwGrFEklfjo dZXA9IbBYE6eZ446f10wbTOzCF+0E5tQGN4UskJmd46t/IjnCm9v//CxUTPBhLbo HrHxsiMNqzDNtvr0XVYe5CaHrV/0ZyW+8orHi0u0zgjW+miiJfqJ+B4aUlCaE256 dhs8X8LmYbCI4/gXZTyVUaMZszQkrSc9CN3EQsQ6VZQoR/tvqzA= =iG2h -----END PGP SIGNATURE----- --a2FkP9tdjPU2nyhF--