From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id EMttDDPI02INXgEAbAwnHQ (envelope-from ) for ; Sun, 17 Jul 2022 10:28:35 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id IEZgDDPI02JZYwAA9RJhRA (envelope-from ) for ; Sun, 17 Jul 2022 10:28:35 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D13A31F2B0 for ; Sun, 17 Jul 2022 10:28:30 +0200 (CEST) Received: from localhost ([::1]:57968 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oCzdd-0003l1-1W for larch@yhetil.org; Sun, 17 Jul 2022 04:28:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44520) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oCzdQ-0003kr-TP for guix-devel@gnu.org; Sun, 17 Jul 2022 04:28:17 -0400 Received: from mail-m972.mail.163.com ([123.126.97.2]:39417) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oCzdK-0007DX-2q for guix-devel@gnu.org; Sun, 17 Jul 2022 04:28:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-ID:MIME-Version; bh=vGQ7e Ex+w4f1xw3m4xOuAkRG/PP1QQQcLtVwgdtv0tg=; b=VmLw9N1//tOSCL0oabwSx utw8gcll1MWcTuKLA5y8I9rWcusu8Lw9m6FUCsZx7UTKMtE2bS36mBSQ0kylw/9W G8EDOk+UwgybtfQPG058dyhVyyNxfIZaulxeBKKaRAgxMz3QycFQLQprz2OzDyIv 8FaD7IzQnUY8BpOpzouzZ4= Received: from asus-laptop (unknown [27.38.70.244]) by smtp2 (Coremail) with SMTP id GtxpCgBnUY4LyNNiy85TPg--.20513S2; Sun, 17 Jul 2022 16:27:57 +0800 (CST) References: <87zghu5jex.fsf@inria.fr> User-agent: mu4e 1.6.11; emacs 28.1 From: Zhu Zihao To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-science@gnu.org, guix-devel@gnu.org Subject: Re: =?utf-8?Q?=E2=80=9CBuilding?= a Secure Software Supply Chain with =?utf-8?B?R05VwqBHdWl44oCd?= Date: Sun, 17 Jul 2022 15:54:29 +0800 In-reply-to: <87zghu5jex.fsf@inria.fr> Message-ID: <86fsj0nnxy.fsf@163.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-CM-TRANSID: GtxpCgBnUY4LyNNiy85TPg--.20513S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7KrWkXr13GFyxZry3Cr43Awb_yoW8uFyxpF W8K3y5ArWkGF1rAr18Ja15XFyrGa95tw15Jrn5GaykAa4Ygwn7tr4aya1Yk3WfZrWI9w45 ZrZxtr4j9F1UA37anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0ziPxhdUUUUU= X-Originating-IP: [27.38.70.244] X-CM-SenderInfo: pdoosuxxwbztlvw6il2tof0z/xtbBaw1Br1et51Vh0AAAsx Received-SPF: pass client-ip=123.126.97.2; envelope-from=all_but_last@163.com; helo=mail-m972.mail.163.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_PDS_SHORTFWD_URISHRT_QP=0.01, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1658046510; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=vGQ7eEx+w4f1xw3m4xOuAkRG/PP1QQQcLtVwgdtv0tg=; b=BdWhv8nG509WqFxvUdJh9RsJe+B/csBYLytHV1Sszqd1quaLofo/t2SzLH6/DHk3Kmh+46 ep5g9lwxhnLXih4PSzZRc6g2JVxAUd5h42453iJ1vCPC8ah2SGcza+T56z7A3vMZjkCnF+ Zklr2LnRGd/pIrawhvd5AXgYDYaWrONUuUxU1iRWAfYsCH3Qm1ktBq1lBFs8DLhc6FaxEE HgeqUiX4gBV2onGy2jtf2MCETmnY3qbYNQ8r0NuCwFyzT9LbWKCiczlm8G4sRIdWZBXv64 4eDKu39edZZAKrO6Aq0azfy+xgvpr2r/C/pccUAR9G23Can6919oxdOCu7ZWQg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1658046510; a=rsa-sha256; cv=none; b=R/SfUuOMpYFXOUvhA/mQag+MPjMCGIsSz3rkFkS3IiGf8QC6ZP4k4d5xlolhqNNppm10tx 3qUHk5luxZdEwgul5mOMN1jADZdyr3uKHqjWGNBzA0zEbKTtWqdQOo0cvNkAoRR/rsMCdX nggIF45nvgFwgqqaqX+/Tz87s6hjxU+2mJK9V2IjAnQYoaNFFChUxycPdIW+ZEqdp8BACc 0LyFdI6TXF1aHomBUa/tzSdQW2uHqG2Rrsae6zfkehZdFasyua0Uzntn3m2B8Mxqgp/+Kc XCcYoixqTccG5PtZbT6BNrPVjry8q3RTxgNnJquU2lUAQG7ux3qKuqmIdw1VTg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=163.com header.s=s110527 header.b="VmLw9N1/"; dmarc=pass (policy=none) header.from=163.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -7.83 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=163.com header.s=s110527 header.b="VmLw9N1/"; dmarc=pass (policy=none) header.from=163.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: D13A31F2B0 X-Spam-Score: -7.83 X-Migadu-Scanner: scn0.migadu.com X-TUID: gRRw+OOVT3hL --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Good article! There's still some questions to ask. I'm concerned about the safety of the evaluation of channel code. IIRC, there's no sandbox for the evaluation of package in channel. So, it's possible to inject some side-effect code into a channel like ``` (define-module (my channel code)) (display "I'm planning to do evil things here!") (define-public some-package ...) (define-public another-package ...) ``` We have PGP sign and git commit chain to make sure the commits are committed by trusted people. But it's still possible for the channel owner to inject malicious code into the channel in a future commit. Like what Marak Squires did in faker.js project :( or the committer of Guix was attacked by an evil maid. In Nix flakes, there's pure evaluation to make sure no side-effectful code is allowed. But Guix channel is less restricted than a Nix flake. It's a important problem to make sure the evaluation is safe for the user. Ludovic Court=C3=A8s writes: > [[PGP Signed Part:Undecided]] > Hello Guix! > > I=E2=80=99m happy to announce the publication of a refereed paper in the > Programming journal: > > https://doi.org/10.22152/programming-journal.org/2023/7/1 > > It talks about the =E2=80=9Csecure update=E2=80=9D mechanism used for cha= nnels and how > it fits together with functional deployment, reproducible builds, and > bootstrapping. Comments from reviewers showed that explaining the whole > context was important to allow people not familiar with Guix or Nix to > understand why The Update Framework (TUF) isn=E2=80=99t a good match, why > Git{Hub,Lab} =E2=80=9Cverified=E2=80=9D badges aren=E2=80=99t any good, a= nd so on. > > What=E2=80=99s presented there is not new if you=E2=80=99ve been followin= g along, but > hopefully it puts things in perspective for outsiders. > > I also think that one battle here is to insist on verifiability when a > lot of work about supply chain security goes into =E2=80=9Cattestation=E2= =80=9D (with > in-toto, sigstore, Google=E2=80=99s SLSA, and the likes.) > > Enjoy! > > Ludo=E2=80=99. > > [[End of PGP Signed Part]] =2D-=20 Retrieve my PGP public key: gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744 Zihao --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIsEARYIADMWIQRefA5qkqvnKdl/GTlmOX+E92aT+QUCYtPICRUcYWxsX2J1dF9s YXN0QDE2My5jb20ACgkQZjl/hPdmk/nurgEAt+WeF82U0518k/l6YY1tM3xm1qMK H/fnLhs3JZlii+wBAI2ZSPGT6htFDDphw5pjSGa5oD15ha0eO30WHy1gevsL =GneJ -----END PGP SIGNATURE----- --=-=-=--