From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 6DzyH8txwWIEWAEAbAwnHQ (envelope-from ) for ; Sun, 03 Jul 2022 12:39:07 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 4POxH8txwWK4ZgAAauVa8A (envelope-from ) for ; Sun, 03 Jul 2022 12:39:07 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 668DA3AD39 for ; Sun, 3 Jul 2022 12:39:06 +0200 (CEST) Received: from localhost ([::1]:54002 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o7x0L-0001zZ-5M for larch@yhetil.org; Sun, 03 Jul 2022 06:39:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46098) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o7x0F-0001xA-Ri; Sun, 03 Jul 2022 06:38:59 -0400 Received: from mailout.easymail.ca ([64.68.200.34]:35618) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o7x0D-000853-PM; Sun, 03 Jul 2022 06:38:59 -0400 Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 311E16226D; Sun, 3 Jul 2022 10:38:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1656844735; bh=gOTMO9kCc0GzeZp6kPDfYZxpQFZSiJEtj/YCAxaS46M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=L0SHitKwpBPwXo2C1N0zGobsg8gayQRZ+oRVGgs1gy6+0ld7g1rrUbjXCpdyaINu9 ZMrK4rEfJlyZz1PxkDKtC9QYGEo0QvU2vMSBCvACuST06IeybUBKzGyaOgw14EoyPn +KRZoo43ht13mWNWUewEZekJpYPvg7f5oD9qZHGoCmc0x6Zb9xlWB1fWWO3jCBptvr nfm4oVCO2mdtqay+mdJAMd9UfHMdzEVaxCcuC52T9pm2ysaf0JxzYm2N7WK5yjq9Fw sNmoJu6kYn3OG+CG5z/FSrV+vll67SvKvvZH+80PU8Oilro/CXGSKwEvwWrBGs2D6L sd/qkYCHcqyKw== X-Virus-Scanned: Debian amavisd-new at emo09-pco.easydns.vpn Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo09-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_JrJajVcZQz; Sun, 3 Jul 2022 10:38:54 +0000 (UTC) Received: from localhost (m83-185-45-117.cust.tele2.se [83.185.45.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 8CA9961D7D; Sun, 3 Jul 2022 10:38:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1656844734; bh=gOTMO9kCc0GzeZp6kPDfYZxpQFZSiJEtj/YCAxaS46M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=X4LJ0+tz812qNXWDd7ArpBrl1FuUwypkUD9oBAO22BAdhUzbd70r335QAQcpbLh/p cadNRsYmnS0eq4CA5aPZoT7r65/cGsyO4mtCLHH4tEhXCvJGviYmqlZNqe4EGQBKAv zEy+PCZkgSbmipCLXaHjLht3AOwHK1sHxk4aS0Jk5tNiGx4D7O43SuS7rA1Z1sv3bG 54D6JJ5kHls+f4Giedg+hHoLG042jP/erVjbo5Ias7bMQilRl5K2sJZucrdV4RtFz/ i8hiQ9iU6F49ZJIervUs8kGQ4C0hrBU1xBMOsKZcpQcGUoaJX3pinGa2i0lfM5qXO9 stEGNP7aU6nGA== Date: Sun, 3 Jul 2022 12:38:39 +0200 From: Bengt Richter To: zimoun Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , guix-devel , guix-science@gnu.org Subject: Re: =?utf-8?Q?=E2=80=9CBuilding_a_Secure_S?= =?utf-8?Q?oftware_Supply_Chain_with_GNU=C2=A0Guix=E2=80=9D?= Message-ID: <20220703103839.GA41557@LionPure> References: <87zghu5jex.fsf@inria.fr> <20220630213735.GA9726@LionPure> <87h741nq6w.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87h741nq6w.fsf@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) Received-SPF: pass client-ip=64.68.200.34; envelope-from=bokr@bokr.com; helo=mailout.easymail.ca X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-science@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-science-bounces+larch=yhetil.org@gnu.org Sender: "Guix-Science" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1656844746; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=+/kl9VYAqJ9LXWtBwbFw98D3dsw6gRKePsn0X6daS18=; b=G5OW4f7Jjws+3z5vs0hrj1W9wOehXikqOHpZpuXoZXVorSTFTkL5B/5TeO6ZI2wCeHplW8 IVBPpBKXEn7PlEMTKrLXxbd8kvHWfJYDNH2zVY86FXV0FMwKre2PQIQ9OxeRhDxt2uCJhg CSPl3KIBcNDjxmj/BVfUwfumcSuiXYIU1igmxqBfhYDURaRSsbqXo9yHuweSfpMuXh7+KD zlFILG/VGidlDVCSxJdkoS8Q18aOBkOTpchMV2+rqJkiC/lwLSbWCLuJyNlWaJRIhTawOi FKdn4tS4olgl7P2b9ki9+c04e1UHcVvmWMj9Mq7J4YwLI3+BQINJLC1kSyDtJg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1656844746; a=rsa-sha256; cv=none; b=RfVdn9ccQtmOcjyXX9zBD9L1yYrT1Sr+iK7m/YiwWapaYpSLoxhkehDy8/pDgvexZHdZZk VG921yTNeDlW+w4PpamKVxQxbUcG+xFn7bOigoUW/5+eJe7a7SscQyQ1OWI7hkPsVEPgBj m8gqYAAyQ9B+J61Urz9985eLTR8UJbpH5tBsjC4a8YmzrNyKU0eSY21n+ygMXWX1bk3nFe 0iJOMGH2ZHSg2ZpoDW/m/rlAunVxDiyJrLFVkqLnu8LdUX6mA4Sh/jA5UNjfd+0NBlTH1/ tRyqXwttF29lhoRuwTmsrgrt2V6Jhi3f5sbL1Fw8ledyPLpC7kFdFOiGkKuJRg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=L0SHitKw; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=X4LJ0+tz; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-science-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-science-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 0.95 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=L0SHitKw; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=X4LJ0+tz; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-science-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-science-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 668DA3AD39 X-Spam-Score: 0.95 X-Migadu-Scanner: scn0.migadu.com X-TUID: AFwc/cafAbVP Hi Simon, and all, On +2022-07-01 11:21:43 +0200, zimoun wrote: > Hi Bengt, > > On jeu., 30 juin 2022 at 23:37, bokr@bokr.com wrote: > > > I think IWBN to have some kind of trust code come with that git output, > > like gpg's 1-5 but indicating how well the committer/signer trusts > > that using the code will *not* cause a problem. > > Well, from my understanding, Guix is dealing with 4 sort of code: > > 1. Guix recipe of a package > 2. Guix service > 3. Guix itself > 4. Upstream > > I do not think committers are pushing code about #1, #2 or #3 that they > know beforehand it will cause a problem. > Hm, -- unless ... ? :) > Therefore, I do not see how it could be implemented without being rooted > in committer feelings, opinion or self-confidence, i.e., highly variable > from one committer to the other. > > The GPG trust level works because it is based on the web of trust. > Here, there is no web, IMHO. > Well, guix developers who know each other well "in real life" have a pretty good web, if not formal, no? :) It's just not accessible to newcoming outsiders, who can't see the trust codes in the insiders' heads :) > Most of the security issues are from #4. Considering how hard it is to > find and tackle the security issues, there is only two strategies, IMHO: > do not trust which implies deep audit of distributed source code and so > restrict the set of available packages (it is somehow an OpenBSD > approach); or accept more packages which means somehow trust upstream, > to some extent. > Agreed, #4 is usually the source of security issues. I'm just looking for some greppable coded hint of the difference between a package that consists of e.g. a reverse polish calculator homework assignemnt that a nerdy friend showed how to submit as a package, vs. e.g. a package where the comments say over 10K subscribers have now been running this hundreds of times daily for 2 months of beta testing with no reported problems. Vs. This is alpha stuff, but seems harmless enough if you run it in a container. I'm not asking any guarantees, just a professional's quick judgement. Like a chef's quick opinion on the cantaloupes at the open market. This is separate from the issue of whether to include a package under guix. No blocker if the cantaloupe is not ripe, but helpful to have a sticker saying so, for those who (for lack of time perhaps) want to order on line and use grep instead of their nose :) > > However, all in all, it asks what is expected by the reviewing process, > as discussed [1]. :-) > > 1: > > > Cheers, > simon I am not forgetting that I should be thankful for anything I am provided freely. So thank you all! -- Regards, Bengt Richter