From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id sGFgFX781WKoRQEAbAwnHQ (envelope-from ) for ; Tue, 19 Jul 2022 02:36:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 2BYfFX781WL6QwEAauVa8A (envelope-from ) for ; Tue, 19 Jul 2022 02:36:14 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DFBEA699B for ; Tue, 19 Jul 2022 02:36:13 +0200 (CEST) Received: from localhost ([::1]:44540 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oDbDh-0000So-0p for larch@yhetil.org; Mon, 18 Jul 2022 20:36:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53204) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oDbDV-0000Sg-Rn for guix-devel@gnu.org; Mon, 18 Jul 2022 20:36:01 -0400 Received: from itsx01.pdp10.guru ([74.207.247.251]:55538) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oDbDU-00006L-8B for guix-devel@gnu.org; Mon, 18 Jul 2022 20:36:01 -0400 Received: from auennplxrtxfoohp by ITSx01.pdp10.guru with local (Exim 4.94.2) (envelope-from ) id 1oDbDQ-001G1f-41; Tue, 19 Jul 2022 00:35:56 +0000 From: Jeremiah@pdp10.guru To: rekado@elephly.net Cc: guix-devel@gnu.org Subject: Re: =?utf-8?Q?=E2=80=9CBuilding?= a Secure Software Supply Chain with GNU =?utf-8?Q?Guix=E2=80=9D?= In-Reply-To: 87o7xmtwu5.fsf@elephly.net Date: Tue, 19 Jul 2022 00:35:56 +0000 Message-ID: <875yjuos5v.fsf@ITSx01.pdp10.guru> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: none client-ip=74.207.247.251; envelope-from=jeremiah@pdp10.guru; helo=ITSx01.pdp10.guru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1658190974; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=MIlF2PU6r4hYmkJdRdqpUTo8ApB6ZX7xR63KimP0B8g=; b=KygtF6myzxbnLkQruN/fkvXTfo7PaX0rHSortuN1n2zFx1z+WsNn/O55yjAuuMDilabr2z havcuzH6jCajYrBuadcNHFJnYOfQos2MK0OkwkN8QoJKeM9g9qnz3yemmt27sRoSkq5ReV YtuX2JDxIjY7suPdErtBYtCvteF9zQjTxMspBQwLA2OprTlJfK/GpdrDNmmnN4ss1VjIfa CIU//IeRnqawAd+AgFmm8LeXjCGtZBVNnGCcxkxaTdzaN8evuIgJvuWUIvmEfVZynkxHuG dClxg9Ia2Iq4x96RaWRirOYfAIPneH56u62lDGkdPFOvcIXby9sgqZ6XdRgZfQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1658190974; a=rsa-sha256; cv=none; b=YgHJf/6cpApUVQ7Qr7lB1WhPKbbSlP2pfiNe+UG0vflubETcJrnRqv/qkClpWXq6eSuRiT 9xs2p+DfE5mM/6G/OVBy9J3ILLKZ+bc9NaAFFQ2SnQOQHwyXjvUzOwl8qK/xk9OUfg19bK YSCEA96e9IKkYvDJf2ACBxmiqgeyJHbGsSftgp03Dcb4Eaesznjwp/CIZHyA7vLAMTptZK R53MzP0SIF+byWSJFSmFavUeB54kZUuAy/JJEHlPR/Xx4tdDfXAHDi9sNgsqYl066xiAmT 7mgOBnKDnLLplaDu7rcNMvJyR9ND3YL6YvflLkcX6rBjKQIG9VOJxcnu1ytaOA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.74 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: DFBEA699B X-Spam-Score: -2.74 X-Migadu-Scanner: scn1.migadu.com X-TUID: pGQfWGfkJv/1 This is why things like SELinux exist, combine with separate binaries for the functionality that impacts things outside of the store to quickly minimize possible damage. If the binary can only create links the possible damage is quite limited. But the much more dangerous modification is much more subtle and can go months to years without being noticed. To which there is no defense. As there is no way to know when a person you trust will go crazy, turn evil or flip the switch they planned many years ago. Heck, the possible exploits that could be in the bootstrap seeds could so subtle you wouldn't notice or even hidden in the kernel itself: https://gitlab.com/bauen1/stage0-backdoor.git Making reviews by third parties cheap, make forking cheap and never assuming that anyone should be completely trusted is usually a secure place to start. And why the bootstrap seeds README starts with: NEVER TRUST ANYTHING IN HERE I could be evil after all -Jeremiah