unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* “Building a Secure Software Supply Chain with GNU Guix”
@ 2022-06-30 14:13 Ludovic Courtès
  2022-06-30 21:37 ` bokr
                   ` (2 more replies)
  0 siblings, 3 replies; 18+ messages in thread
From: Ludovic Courtès @ 2022-06-30 14:13 UTC (permalink / raw)
  To: guix-devel, guix-science

[-- Attachment #1: Type: text/plain, Size: 955 bytes --]

Hello Guix!

I’m happy to announce the publication of a refereed paper in the
Programming journal:

  https://doi.org/10.22152/programming-journal.org/2023/7/1

It talks about the “secure update” mechanism used for channels and how
it fits together with functional deployment, reproducible builds, and
bootstrapping.  Comments from reviewers showed that explaining the whole
context was important to allow people not familiar with Guix or Nix to
understand why The Update Framework (TUF) isn’t a good match, why
Git{Hub,Lab} “verified” badges aren’t any good, and so on.

What’s presented there is not new if you’ve been following along, but
hopefully it puts things in perspective for outsiders.

I also think that one battle here is to insist on verifiability when a
lot of work about supply chain security goes into “attestation” (with
in-toto, sigstore, Google’s SLSA, and the likes.)

Enjoy!

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 869 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread
* Re: “Building a Secure Software Supply Chain with GNU Guix”
@ 2022-07-19  0:35 Jeremiah
  0 siblings, 0 replies; 18+ messages in thread
From: Jeremiah @ 2022-07-19  0:35 UTC (permalink / raw)
  To: rekado; +Cc: guix-devel

This is why things like SELinux exist, combine with separate binaries
for the functionality that impacts things outside of the store to
quickly minimize possible damage. If the binary can only create links
the possible damage is quite limited.

But the much more dangerous modification is much more subtle and can go
months to years without being noticed. To which there is no defense. As
there is no way to know when a person you trust will go crazy, turn evil
or flip the switch they planned many years ago.

Heck, the possible exploits that could be in the bootstrap seeds could
so subtle you wouldn't notice or even hidden in the kernel itself:
https://gitlab.com/bauen1/stage0-backdoor.git

Making reviews by third parties cheap, make forking cheap and never
assuming that anyone should be completely trusted is usually a secure
place to start.

And why the bootstrap seeds README starts with:
NEVER TRUST ANYTHING IN HERE

I could be evil after all

-Jeremiah


^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2022-07-20  6:49 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-30 14:13 “Building a Secure Software Supply Chain with GNU Guix” Ludovic Courtès
2022-06-30 21:37 ` bokr
2022-07-01  9:21   ` zimoun
2022-07-03 10:38     ` Bengt Richter
2022-07-04  8:21       ` zimoun
2022-07-04 14:56         ` Bengt Richter
2022-07-04  7:44   ` Ludovic Courtès
2022-07-17  7:54 ` Zhu Zihao
2022-07-18  8:45   ` Ludovic Courtès
2022-07-18  9:40     ` Zhu Zihao
2022-07-18 12:30       ` Ludovic Courtès
2022-07-18 12:38         ` Ricardo Wurmus
2022-07-19 13:53     ` Maxime Devos
2022-07-19  7:21 ` Arun Isaac
2022-07-19 12:11   ` Ludovic Courtès
2022-07-20  6:17     ` Arun Isaac
2022-07-19 13:45   ` Maxime Devos
  -- strict thread matches above, loose matches on Subject: below --
2022-07-19  0:35 Jeremiah

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).