From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id uNp0G5UicWEWSQEAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 21 Oct 2021 10:19:33 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id OKw2F5UicWFFXwAAB5/wlQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 21 Oct 2021 08:19:33 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id F0F1FD4A1
	for <larch@yhetil.org>; Thu, 21 Oct 2021 10:19:32 +0200 (CEST)
Received: from localhost ([::1]:56454 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1mdTIS-0006Yq-2N
	for larch@yhetil.org; Thu, 21 Oct 2021 04:19:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38832)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <zimon.toutoune@gmail.com>)
 id 1mdTHz-0006Yf-1X
 for guix-devel@gnu.org; Thu, 21 Oct 2021 04:19:03 -0400
Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]:45054)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <zimon.toutoune@gmail.com>)
 id 1mdTHw-0007hm-Tv
 for guix-devel@gnu.org; Thu, 21 Oct 2021 04:19:02 -0400
Received: by mail-wr1-x434.google.com with SMTP id d13so1274951wrf.11
 for <guix-devel@gnu.org>; Thu, 21 Oct 2021 01:19:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:in-reply-to:references:date:message-id
 :mime-version:content-transfer-encoding;
 bh=jHc+yCZodylpoAEC03JAs1uJOLiZrjR21GoNZ3hTKGs=;
 b=hO8x1trn0vJUFlivkmKqh9RNTFm1Y4enFlQFcaY1cCZNg5S0hlpO2FvBtTDw11Y4HT
 Bw784VeL1qwQsUC1j1Iiou9PsgCz5r56hs55Hxclv/rwE2Dbm73pxk3Q7aDM41KfIgeq
 2FOJDOGsJPDQXTSuj2zlj1xXNiUfnCRiUi9Q4wUSjgCihMPsXKQ8VCdORoPh8eUS9N1G
 d0gr+TGYfEmGdKlU1NM6ywY2ybGT3WgLIcjsqqMN08svCuiSO+RKLTdBWBJTpef+M4KX
 vmNlNqUKjSw0Lz0L+O3PpnqvO7lPPpXj8fQfRS+aefq8ubReD+xKlawg9K9Q1vuwSfkW
 eOdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date
 :message-id:mime-version:content-transfer-encoding;
 bh=jHc+yCZodylpoAEC03JAs1uJOLiZrjR21GoNZ3hTKGs=;
 b=cp1VRXJWnGhjU2A1hFYEqzrMC3dtaX6RSz1dGHinQd5Qd9tbzJAOfGI0zy5HKgZXCv
 DSv4gXfGjLLGyyQcRwAFg2qUXc/GVlHdZImIJi+y3CbWR4B8Kt3auVMudK6paERfw1Ag
 ztVzqXN3Pu1EDNV0caV9FtT3eHwoXfiBT/plXTFdx2laLzgZRcza3GyYR4MWuzru70pZ
 U3zZ05qfa2WUbxBLqk7jG8AJXmOvsrBBZPEisW1IT1d2pOnNjdqMsTKKjxUE5voOQ0vf
 aV62QApK3oN1w5rCQhIJkJUkH41HXpd2aMuXrhn59u8Xv77EaAiLDfQVvEMRpHMOy8x4
 zndw==
X-Gm-Message-State: AOAM531o8lZanyb3WmmCfSEtJ7NdVeWsD8IHDCakBPbc9bF/QtuD7HKH
 qHr6hVtnW3hc2k/18hZyGMqqFn+gdo0=
X-Google-Smtp-Source: ABdhPJytD9yk4hwueSAdmEIk0AhgZvN9MTHJpJbakOWdzXVUyf3CMx0cn7g95icX8bEmaflVuu3WkA==
X-Received: by 2002:a5d:58ec:: with SMTP id f12mr5616960wrd.24.1634804339227; 
 Thu, 21 Oct 2021 01:18:59 -0700 (PDT)
Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e])
 by smtp.gmail.com with ESMTPSA id o6sm7418838wms.3.2021.10.21.01.18.58
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 21 Oct 2021 01:18:58 -0700 (PDT)
From: zimoun <zimon.toutoune@gmail.com>
To: Tobias Geerinckx-Rice <me@tobias.gr>, Arun Isaac
 <arunisaac@systemreboot.net>
Subject: Re: Public guix offload server
In-Reply-To: <87cznz74l5.fsf@nckx>
References: <878rynh0yq.fsf@systemreboot.net> <87cznz74l5.fsf@nckx>
Date: Thu, 21 Oct 2021 10:12:15 +0200
Message-ID: <864k9ag5k0.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2a00:1450:4864:20::434;
 envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x434.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel@gnu.org
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1634804373;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=jHc+yCZodylpoAEC03JAs1uJOLiZrjR21GoNZ3hTKGs=;
	b=AoiF9w+OQ1WuJHFiyqEGkMqbkj8MetpTPydaFodBAufiCHWyGUGWC8ZfmmeogZ/aUWpppW
	ZfDdjFaIfOA0lALqWaWCOxod27LRkMw926h18kHq260NLMHmTYQUPhheRkER7eWZ4rMRx9
	M51+FWfDL3lwzycrDZiCEtGUURXpLOdXa2cb33JYPYyGiew8WN+vsD5v8nidtMyKGVFnHH
	NgjkoAu9HQIwGZcdnlV7dJ3br7Mjia1zk0Kky9S/cIQyaHocA4fAXM7ULHUbE7TNya8V7R
	OfPrhoTW3Kipe/PEicLmxJyymT4RTJ1LpIcTwUYlrqrsZQZ0upMIc+0GusCmxA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634804373; a=rsa-sha256; cv=none;
	b=cNd3+kPPz/ABqi48wL4V6K4ck4BoE2zyi0iE+r7JkjYQ+uC0r/QLYIvXHer8zvmExyrRg7
	K8dAcCLw0Z6/LP/dnKHiiYn5wAPKiE5SORH22Fg+xirDPuZZWIi7MfCnqY7GBijj1BotkV
	awNOg/TAV3SGc2DLwx2VOf4OOV4tnopFUAGVFKFME+pPADV48znPcC4Y4Atxgt7vK1rW26
	/xRF7NFLMgAtfI+ZP9s2/AP/89qNUZ4iTTJhHM9CRpjM+MOjxXtf31eNH6kjoosPhv1p9p
	oJ9bZg3i/8ie9q1/8ROZ9y4zNK7cTPm5sr2E1I5uYkLKOuEu5V6civkriqLyvw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=hO8x1trn;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -1.63
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=hO8x1trn;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: F0F1FD4A1
X-Spam-Score: -1.63
X-Migadu-Scanner: scn0.migadu.com
X-TUID: dfUo20DffbsU

Hi Tobias,

On Wed, 20 Oct 2021 at 23:06, Tobias Geerinckx-Rice <me@tobias.gr> wrote:

> Giving access only to people with commit access is a given, but=20
> any shared offload server is a huge shared security risk.
>
> Guix is not content-addressed.  Any [compromised] user can upload=20
> arbitrary malicious binaries with store hashes identical to the=20
> legitimate build.  These malicious binaries can then be downloaded=20
> by other clients, which presumably all have commit access.
>
> Now the attacker almost certainly has covert access to one or more=20
> user accounts that can push signed commits to Guix upstream.

If I understand correctly, if a committer offloads to say Berlin or
Bayfront, your concern is that the output will be in the publicly
exposed store.  Right?

If yes, one could imagine two stores: one populated by CI as it is
currently done and another one mounted elsewhere considered as sandbox
and regularly garbage collected.

For instance, one could imagine a dedicated VM for all the committers
who require some CPU power.

I mean, it is some system administration work, but is it not technically
feasible?


> At that point, one might consider dropping SSH account-based=20
> access in favour of a minimal job submission API, and just return=20
> the results through guix publish or so=E2=80=A6?  OTOH, that's yet anothe=
r=20
> code path.

A minimal job submission API with token would be ideal, IMHO.  But it
falls into:

        Now is better than never.
        Although never is often better than *right* now.

                                    =E2=80=93 python -c 'import this' =E2=
=80=93


> By waiting, and planning.  I'm lucky to have a ridiculously=20
> overpowered ThinkPad for its age and a newer headless tower at=20
> home that can run builds 24/7, but nothing close to a =E2=80=98powerful=20
> workstation=E2=80=99 by industry standards.

I sympathize with Arun=E2=80=99s requests.  For instance, it is impossible =
to
review Julia packages using my old laptop.  Even, it takes ages to just
compile Guix from sources and it is becoming worse and worse.
Hopefully, I am lucky and I have remote access to some workstations at
work.

Yes, we can wait and plan for a better solution for helping committers
to do their review. ;-)


Cheers,
simon