From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YLBKGHzfb2EyFwEAgWs5BA (envelope-from ) for ; Wed, 20 Oct 2021 11:21:00 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id qEMKFHzfb2GjRAAAB5/wlQ (envelope-from ) for ; Wed, 20 Oct 2021 09:21:00 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CFED09BE9 for ; Wed, 20 Oct 2021 11:20:59 +0200 (CEST) Received: from localhost ([::1]:33850 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1md7mM-0000W5-V9 for larch@yhetil.org; Wed, 20 Oct 2021 05:20:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33012) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1md7lk-0000Tw-9X for guix-devel@gnu.org; Wed, 20 Oct 2021 05:20:20 -0400 Received: from mail-wm1-x333.google.com ([2a00:1450:4864:20::333]:43003) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1md7li-0006Xo-LZ for guix-devel@gnu.org; Wed, 20 Oct 2021 05:20:20 -0400 Received: by mail-wm1-x333.google.com with SMTP id s198-20020a1ca9cf000000b0030d6986ea9fso8577489wme.1 for ; Wed, 20 Oct 2021 02:20:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:in-reply-to:references:date:message-id:mime-version :content-transfer-encoding; bh=iH3c6s2iRI5xn4S6dSflA0fgw8jXlFmlvnAe0StRoPc=; b=Gs+7bp/1vDr+RHJKYLxvWQiAhzTTw41m3B12O3OCenSujQVGjAtFf6pVroLIvEQFUg i+GsFuCW0Xgl+++0InyRoQt6cc7d8meT48sTbewOjM2+/D7Q5Mk5r4cQBRKe9iJQa7Y4 7saipU4i04D7qhI/mPbTYpgBFoBYKczHb4YDtbwTbbQksk5a+DtRKHZRunoy3EtuJZHg aeEstfIHQGJiKfyaaUzIiUkfFS7lqv3stqTI5CfL/dioedfNVToamd+xoLMvHTWEjFTO d2qIn/PB+HdUqRj9DJ1ZU60SDvG/B9x6b4KRTaVbkXsypc5H48yLgBxANz+BIslQuQTB 0nuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=iH3c6s2iRI5xn4S6dSflA0fgw8jXlFmlvnAe0StRoPc=; b=tzbJdMDgQU+rlHu0Yo8qgpjUHXRkN7KQzEjTJuQKnYLg8WBfFel48VyDtuKtqY5g1y xo9lyt/inh4bYz6LYbk6D21z+VbqABCsH8WQH8g9HZ8DVgKHsoUUwi+LqtK9xiAzV5I4 Y7h8Yb35AHi7czQOnZCdxV9cAIr5gQVTfMiWAFrFAG0FCrrQIuaNPWFzcOz4yUsaDHdv m+tOW5MyNhRAR4K5/RS08zV6gr6BHElfDVTkZfQhA6HSshRn5uMBc6wJjRBX3CaDiq6f OMXiVvCVRuZWIKXIfbPMnK0rL7wvMQFmF9rXofqWH7fogkYFUZIw0g5W7fyzMwR0IFNN edTg== X-Gm-Message-State: AOAM531QziAFMyIxswbk7ikHFrIudk2V5q4u6/zGH0hKdvPpEPUz7S6R Gm+rio0+/FoMdY92RAMDi1zTnwhygo4= X-Google-Smtp-Source: ABdhPJyB7r9vHus2ur7GMRoUBGNmErBOVIyQJkm4GK7SdK/h/G7lSl898OpsPn2A0S17JgKS7/CtSQ== X-Received: by 2002:adf:9c02:: with SMTP id f2mr52012300wrc.201.1634721615949; Wed, 20 Oct 2021 02:20:15 -0700 (PDT) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id a16sm1471892wrs.30.2021.10.20.02.20.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Oct 2021 02:20:15 -0700 (PDT) From: zimoun To: Giovanni Biscuolo , Ludovic =?utf-8?Q?Court=C3=A8s?= , guix-devel@gnu.org Subject: Re: Tricking peer review In-Reply-To: <87czo0m7fu.fsf@xelera.eu> References: <874k9if7am.fsf@inria.fr> <86ee8hfm1k.fsf@gmail.com> <87czo0m7fu.fsf@xelera.eu> Date: Wed, 20 Oct 2021 11:10:44 +0200 Message-ID: <86r1cgcb8r.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::333; envelope-from=zimon.toutoune@gmail.com; helo=mail-wm1-x333.google.com X-Spam_score_int: -1 X-Spam_score: -0.2 X-Spam_bar: / X-Spam_report: (-0.2 / 5.0 requ) DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634721659; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=iH3c6s2iRI5xn4S6dSflA0fgw8jXlFmlvnAe0StRoPc=; b=QcaUHxGNdNnffTPLoKtpTgmuukl3eqWbnp3Hm1SPT9XOJcdHu2NacyNutQ5a3tUKkCEl9b 6sQqH4CrVUt+lm2lpN1o0e7vBe3sBHOx4yU1WRa3U+KqgxGniiHDXFw8LXBc1SAb7CAufb JYPRMO9snY84fGLBGG2/7r7Ip+CdKmEGO/6d+xIgPVyHUh32tih6GAHEY1oKY5P40bowv2 wGFrjdKMld9PI5k05ocF3sev4iurSAABqamPCAEwGvzvAL/QCOE9ZqQLLd5UBTK6ULIhhP HNLLAevOVoNEpi1VxWvvt7FrVx/egHfYMxn210/rpON+NgCsOR6KI5/gHdM38g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634721659; a=rsa-sha256; cv=none; b=mv7xXI+QT9Xe0dp4MMEZeYrR3e56IrPSYZ6rQNo4zYWHgE5LyjIfVYP5wt8ddrU+3ArYjN GQ62X8bZ03iyu6W98RE6EgMMjwH/f7bGcXRR8rZeVCtcC7H39Zr89SquqAB+6X/1zMLwUa TjxuWbSeeSJ1FcHCZrHt2UGe8WtMuxM5l9SVubKEUaRaRMAx29eSdfOn8LxF8eiVrGF4Vf mrt2IQtLqoKChqrPXBwEWDxk7YsFDhN+kQYwRp2wDbUravzeMN3TwvVPpkNYEAWZMz1zvd vsP5JqGVjdMfa9P9BcVQb5P0xfaBGzF3CgHrcjc8yuO1NArdx9RFeee8m3hvcg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b="Gs+7bp/1"; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.03 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b="Gs+7bp/1"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: CFED09BE9 X-Spam-Score: -4.03 X-Migadu-Scanner: scn1.migadu.com X-TUID: 64xxcA9r0O88 Hi, On Wed, 20 Oct 2021 at 10:22, Giovanni Biscuolo wrote: > I think the "final" result of this discussion should be condensed in a > few (one?) additional paragraphs in the Contributing section of the Guix > manual Run =E2=80=9Cguix lint=E2=80=9D is already listed. What do you have in min= d about more additions? > Well done Simon: AFAIU this is a complete analisys of the possible > "source" attacks, or is something missing? To my knowledge, yes it is exhaustive with the current situation about tricking the content-addressed system. On the top of that, it is addressed by hash functions; it is thus vulnerable to preimage attack of such hash functions. SWH uses SHA-1 to address and I do not know how they address potential collisions. For instance, the cost for SHA-1 [1] is still really expensive. Well, for interested reader, one can read the discussion here [2]. SHA-1 is 2^160 (~10^48.2) and compare to 10^50 which is the estimated number of atoms in Earth. Speaking about content-addressability, SHA-1 seems fine. We are speaking about content-addressability not about using SHA-1 as hash function for security, IMHO. It is the same situation as Git, for instance. The surface of attack is very low because: a) SWH is an archive and not a forge, b) a chosen-prefix attack [3] could no work if review is correctly done; which means run =E2=80=9Cguix lint=E2=80=9D, c) an attacker has to trick the checksum (SHA-256) and the address (SHA-1); at various locations: Guix history (now signed), SWH, Disarchive-DB. 1: 2: 3: >>> Also, just because a URL looks nice and is reachable doesn=E2=80=99t me= an the >>> source is trustworthy either. An attacker could submit a package for an >>> obscure piece of software that happens to be malware. The difference >>> here is that the trick above would allow targeting a high-impact >>> package. >> >> I agree. > > I also agree (obviously) and I think this kind of attack should also be > documented in the manual (if not already done) Well, nothing new here, IMHO. A distribution relies on content, i.e., any distribution points to that content. Whatever the nature of the pointing arrow (URL, Git commit, hash, etc.), the pointed material must be carefully checked at package time; as explained by =C2=ABSubmitting Patches=C2=BB [4]. :-) That=E2=80=99s why I am advocating [5] that: new packages should *always* go via guix-patches, wait 15 days, then push if no remark. It lets the time for the community to chime in. And if not, it just slows down for 2 weeks. 4: 5: Cheers, simon