From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id yEGDCS/eF2bHtwAAe85BDQ:P1 (envelope-from ) for ; Thu, 11 Apr 2024 14:57:19 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id yEGDCS/eF2bHtwAAe85BDQ (envelope-from ) for ; Thu, 11 Apr 2024 14:57:19 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=elenq.tech header.s=soverin1 header.b=pXnWc8ak; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712840239; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=0C4js3TuX5TjdwUZ81ZOZiWU/sEeC2wg7Kgur0xgS3Y=; b=CjWYKAMz9VdN7zSmd2Ae4Creq8HZtBgwEMhCSLB9H2EC0q8vAtmx3shX0qwvuys11bzJOp vrN4jLd9Nad5Z/256VDD6DSgwK2NTNUJ+f+9UqpeKJGP+4VCRUCaYGun2qP8QZyCxKu0G2 38gYjtlXIfgvT5zDdGMov89t+Nz7q5s/bqDwYSFDDXQ1P3jmv/hZD7Ks2vK4yd9Gt8VzW0 2ay66JwyXPJZAX0k+WZF/7/6SYuGMxfNC0o40GwZn33qyssVVkwrgBWQiiHAs3zjfrWYIq LWnql62eFLwKzWfxTXiAnKezJsZc7CneIrzpOCwT+g3LqttqNUlI08EDABcb+g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712840239; a=rsa-sha256; cv=none; b=PZnvla9ZmkJ7wKLEhbBLiSMxNyTnmiAXJPz/VWTtT+eU0Gv5+uNM2rWsUj2lAjccu1IN2d Ao+L2nqL9NP8zdKITlPEvjoAauT5NAh2qRo140DjNqJNUcjBE1LdQ4JkhIeacLoZ/l18G+ mSyHSxUQjhjlRM8Ul3uZ2xCX/2TecYIXlsPc+Rl+ZlN7uhoftwcQCN2etFSIY2CbPG7GFQ 0IRs07M6VNbRTDErzaDNntYfnvWSzIi1I0tyJiNI+GFXIfshHU/HRU68Ca3RO9twfrJiNp oSUztTw9a+NTvMXBFoQ0GKj87KM0fV3rT00yNv0sf5ApH8wWmVDddHS4IgDuwQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=elenq.tech header.s=soverin1 header.b=pXnWc8ak; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 074586D77E for ; Thu, 11 Apr 2024 14:57:18 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rutyl-0000u8-Eo; Thu, 11 Apr 2024 08:56:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rutyi-0000tt-D5 for guix-devel@gnu.org; Thu, 11 Apr 2024 08:56:32 -0400 Received: from dane.soverin.net ([185.233.34.31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rutyf-0007oA-V9; Thu, 11 Apr 2024 08:56:32 -0400 Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4VFfpK2JCJz2xGN; Thu, 11 Apr 2024 12:56:25 +0000 (UTC) Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.99]) by soverin.net (Postfix) with ESMTPSA id 4VFfpJ5bLdzrS; Thu, 11 Apr 2024 12:56:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=elenq.tech; s=soverin1; t=1712840185; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0C4js3TuX5TjdwUZ81ZOZiWU/sEeC2wg7Kgur0xgS3Y=; b=pXnWc8ak8us14HNEob5Zr/Kzq8YDASLgGuF/SDoTrp0nh64XkXqXRPHDZTdvipET42Mc3+ X3s3yCZ+p4sB1zqyVz9P9lC7ly7aftoBaySsXgfpFg28w0MYls+zQz+fK3wn++RriU69w/ i3z/Qd33mvNsTXoVccoXiY8Rj+sf5Jj8tbvvfNmxFujFhpGGYgJ9ReLFeTTpPbbr9+p+wy BDAlzK11XfQVzYZssU58qS4ZAWFAmnWW9WgT7GkcGntOQqqUodMoiGrd0gCTrhsNOMo5LG wyzfCYu8QweqGno3LsczLiU/qkUHUBrGcEjOKjnuzOhTCNToHjM/OnnzrnDIkg== Message-ID: <8076578a-bebd-0f26-6d39-f634ded290ce@elenq.tech> Date: Thu, 11 Apr 2024 14:56:24 +0200 MIME-Version: 1.0 Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Content-Language: en-US, es-ES, eu To: Andreas Enge , =?UTF-8?Q?Ludovic_Court=c3=a8s?= Cc: Attila Lendvai , Giovanni Biscuolo , Guix Devel References: <87ttkon4c4.fsf@protonmail.com> <8734s1mn5p.fsf@xelera.eu> <87zfu9ku4l.fsf@xelera.eu> <6e743725-26f0-669c-b088-e56c850110c8@elenq.tech> <87wmp5l3r3.fsf@gnu.org> From: Ekaitz Zarraga In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=185.233.34.31; envelope-from=ekaitz@elenq.tech; helo=dane.soverin.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -9.42 X-Spam-Score: -9.42 X-Migadu-Queue-Id: 074586D77E X-Migadu-Scanner: mx13.migadu.com X-TUID: 13p3nWnyeqnX Hi, On 2024-04-11 14:43, Andreas Enge wrote: > Hello, > > Am Wed, Apr 10, 2024 at 03:57:20PM +0200 schrieb Ludovic Courtès: >> I think we should gradually move to building everything from >> source—i.e., fetching code from VCS and adding Autoconf & co. as inputs. > > the big drawback of this approach is that we would lose maintainers' > signatures, right? > > Would the suggestion to use signed tarballs, but to autoreconf the > generated files, not be a better compromise between trusting and > distrusting upstream maintainers? > > Andreas > Probably not, because the release tarballs might code that is not present in the Git history and there are not that many eyes checking them. This time it was autoconf, but it might be anything else. The maintainers' machines can be hijacked too... I think it's just better to obtain the exact same code that is easy to find and everybody is reading.