From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id YP7GFtEXvmIJQwEAbAwnHQ (envelope-from ) for ; Thu, 30 Jun 2022 23:38:25 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 0LGtFtEXvmL3hgAAauVa8A (envelope-from ) for ; Thu, 30 Jun 2022 23:38:25 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0EEAA2BEF5 for ; Thu, 30 Jun 2022 23:38:25 +0200 (CEST) Received: from localhost ([::1]:36554 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o71rj-0001zu-Js for larch@yhetil.org; Thu, 30 Jun 2022 17:38:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53406) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o71rK-0001zg-MX; Thu, 30 Jun 2022 17:37:58 -0400 Received: from mailout.easymail.ca ([64.68.200.34]:48278) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o71rI-0007dx-9e; Thu, 30 Jun 2022 17:37:58 -0400 Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 604AF6218B; Thu, 30 Jun 2022 21:37:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1656625073; bh=bvan9aak/hZh8wAKcA9CB2T+FqNniJUHgiArbK9BPlk=; h=From:Date:To:Cc:Subject:References:In-Reply-To:From; b=RplUN6PFlxAB+vSv1aUHjh1MjBzecSQ5Itw102ZqtVNrRarv10aUqWO8VgYoFpxjC +DbziiqOjAD+Uk9XyYAarRLWKISU29s4cmUsZrjPrqLJXspIGDI914Z1DQ+QTE4plM LYAgRtWwbDYBs01CNwO54Y/5tCdc4IZjDQa9ZD9i1S/3MB+DkvMkpE1qbhhTPrhvj9 mg9372QU9TjU0Z3DPeNY5oAHxzihy5ohCh3NWe9wxznmQll5B/VZLjOkGqPZ0V+ERc +U+zH7wmxbpAfcRw5RZa+vjPZLP/4dS/hdlDYvuinw3yFShKQ5tRFR1JHGS4cyF0II hIWr7pF4XtsUA== X-Virus-Scanned: Debian amavisd-new at emo09-pco.easydns.vpn Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo09-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87ll3qzW0ICI; Thu, 30 Jun 2022 21:37:52 +0000 (UTC) Received: from localhost (m90-129-212-214.cust.tele2.se [90.129.212.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 6D9EC62163; Thu, 30 Jun 2022 21:37:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1656625072; bh=bvan9aak/hZh8wAKcA9CB2T+FqNniJUHgiArbK9BPlk=; h=From:Date:To:Cc:Subject:References:In-Reply-To:From; b=MMOvF8ChVwPAogyQWHvblDiafRidA1oLREQUwol87+UaRGOF9TpYj4TbhhE8eVtkm 3vMd+ATWrJKbVwnDw/hmVda5xJtf7j1d4SQjBRgn7003AWPWFmAkPiRfgCHpl4pGm8 kT7aiWvV1gliiGaos734VOj0LOLKFC+79wdByRKETy7LRQLisdAvTy5NrZdcofSqrv +TKMtPwaRus11lpAWWCWZhp9BZHok0kz3qM3Kd56DbVbsPoOjTC9kGDlpb87gsIHzG 3Zo5tt7x7+Xv4UtZRzGVh3nwKyafY8GsbV/0egsFD3JxJq3B48ADPRi0NQtNc/n/2U yYMaOH/TcQ7CQ== From: bokr@bokr.com Date: Thu, 30 Jun 2022 23:37:35 +0200 To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel , guix-science@gnu.org Subject: Re: =?utf-8?Q?=E2=80=9CBuilding_a_Secure_S?= =?utf-8?Q?oftware_Supply_Chain_with_GNU=C2=A0Guix=E2=80=9D?= Message-ID: <20220630213735.GA9726@LionPure> References: <87zghu5jex.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87zghu5jex.fsf@inria.fr> User-Agent: Mutt/1.10.1 (2018-07-13) Received-SPF: pass client-ip=64.68.200.34; envelope-from=bokr@bokr.com; helo=mailout.easymail.ca X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_FAKE_RF_SHORT=0.012, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1656625105; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=D+f20Msmmc3zjc6daAE8cLbMkHq1iroDquibTavva2c=; b=I3bXYcDOhAyURMODZoAGn130kJi8CcUJb/EkOwBq9d97aH5ljxnYKbBNtG1YP5qfhu8MHu MO6EN/CDG1YIr2jQPLlfCbHwSKqHvdwaMftD6MdlKDolOS0SGD2sG8JUoJ4A6MjZzUfRdK YQKz8p4lC/Z1u6BEZtLhdEGqQI0A/JobFzTh4GJakFc9IH2X7SKgUI0we/dSQzn9RlM9lE z1oHWw5t9fF/OggJ5mpvgR2KcnC5SblfjPqJ5oR0He72a9xfqLON8aWr1YX+M94K3d38qi D+WTDez6OHcxIsu5E7gAFY/N5mweZfJHPEoOtrV/mNlaFzG2IlLKgXNyNdfNxQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1656625105; a=rsa-sha256; cv=none; b=GbscTlGBm68QhZhH9YcvJb88o45xD4MEu4pFWXDLuyEFnx/53C55SJxYmGXeqV9mOHS2PL KqWmYp3Ha5d9DQX/A01MBqr4Ny+29gQuGt13hhChabSPzhYvXku1rxLt2OFfe+eWCTCu7R 1yjwbpkog9hNyrAWqBnyR/vQIRu07D5HJ3umlLGEhiLobMVX5n/CKVJrrU0Ign3wghqdy9 O7BG0dONbIZD5f5pBFLQNpyPr6vNGmh/ELTuDkKlkq6P1HcMg6jzZ6FUfEzMCn0GsYtzPQ UB58KnJyPOfGwerLNx10tCumB00LPecIPTex+KRGUs5a83wi7ThQqiTR/BsnYg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=RplUN6PF; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=MMOvF8Ch; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 1.25 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=RplUN6PF; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=MMOvF8Ch; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 0EEAA2BEF5 X-Spam-Score: 1.25 X-Migadu-Scanner: scn0.migadu.com X-TUID: uVWkGyvDHK4V On +2022-06-30 16:13:10 +0200, Ludovic Courtès wrote: > Hello Guix! > > I’m happy to announce the publication of a refereed paper in the > Programming journal: > > https://doi.org/10.22152/programming-journal.org/2023/7/1 > > It talks about the “secure update” mechanism used for channels and how > it fits together with functional deployment, reproducible builds, and > bootstrapping. Comments from reviewers showed that explaining the whole > context was important to allow people not familiar with Guix or Nix to > understand why The Update Framework (TUF) isn’t a good match, why > Git{Hub,Lab} “verified” badges aren’t any good, and so on. > > What’s presented there is not new if you’ve been following along, but > hopefully it puts things in perspective for outsiders. > > I also think that one battle here is to insist on verifiability when a > lot of work about supply chain security goes into “attestation” (with > in-toto, sigstore, Google’s SLSA, and the likes.) > > Enjoy! > > Ludo’. Congratulations! And thank you! I needed that assurance that guix really takes trust seriously, and has a convincing internals story to back it up. The "artifact" at [1] has a README.md [2] that's IMO definitely also worth a read even if you aren't going to execute the image. [1] [2] About this example (I like documentation that provides things you can try): --8<---------------cut here---------------start------------->8--- 5. Going back to our target revision, we can see that `gpg` can indeed verify signatures now: `git checkout 20303c0b1c75bc4770cdfa8b8c6b33fd6e77c168 && git log --oneline --show-signature`. `gpg` warns about expired keys but, as the paper notes, OpenPGP key expiration dates are ignored for our purposes (and the authentication code in Guix does *not* use `gpg`). --8<---------------cut here---------------end--------------->8--- I think IWBN to have some kind of trust code come with that git output, like gpg's 1-5 but indicating how well the committer/signer trusts that using the code will *not* cause a problem. I would like it if every commit had to have a code like that. Even if it was "0," indicating that the committer judged security to be irrelevant, I'd feel better knowing it was part of committer workflow to be nudged into thinking about the security aspect of the commit. (Code alternative: an answer to the old real-opinon-extractor: "How much money at what odds will you bet me this commit will not cause me problems?" ;-) Hm, actually I think a 3-digit LTS code is required for reviewing: with L indicating trust that the contribution is Legally ok, and T indicating trust in Technical competence of contributors snd S indicating trust in the Social aspect of the contribution crim/saint OTTOMH encoding: digits 0-9: 0=NO Info, 1-9: subtract 5 =-> -4..+4, with negatives meaning un-good opposites of positives. So code 191 would be -4,+4,-4 for e.g. L-4: certain to have patent problems, T+4: contributed by a professional hacker, S-4: known criminal in supply chain. -- Regards, Bengt Richter