From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id SFeGGw+OcGGBIwAAgWs5BA (envelope-from ) for ; Wed, 20 Oct 2021 23:45:51 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id mAglFw+OcGHkdAAA1q6Kng (envelope-from ) for ; Wed, 20 Oct 2021 21:45:51 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id EA0C129D38 for ; Wed, 20 Oct 2021 23:45:50 +0200 (CEST) Received: from localhost ([::1]:51268 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mdJPC-0007JQ-1i for larch@yhetil.org; Wed, 20 Oct 2021 17:45:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35146) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdJOx-0007J2-8Y for guix-devel@gnu.org; Wed, 20 Oct 2021 17:45:35 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:60956) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdJOt-0005Yz-8s for guix-devel@gnu.org; Wed, 20 Oct 2021 17:45:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=6ph7RJfSi6tpT 1cmXdCkNkEY3+cUTdMVu39ILN7ppFk=; h=in-reply-to:date:subject:cc:to: from:references; d=tobias.gr; b=NdG7jcSJXS3kN+kdOHjj1FaVHAVBXtzr8895Ff 1ozeNSIAXgLguOwIg71n2N143IRkDX6wBhup6fe2VkTYcEHqSPkfVBSXpjC9CixET1IbYh gQcRrG9DxnVSYR0aVIUGPChxB5dYxwKKFcYBk2++GXuXr8UhoTxHhLFRIMUzNiE/DsOMvj LeS1V2iVDbd42+fQGFGOGp3JW6oGe5sNJPdaBeU6VPNNX57nAm/UdT1quAKSzSe/gzfFob zz3Rm/4+b0WiEEFSLXA3r+mrym4fE3kQ6skV7dkiv2M002M+SlIOrfM8RbO0DCPcidL2vK i8R3k43kLwAcmlJBJAaEr/WA== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 77c56223 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Wed, 20 Oct 2021 21:45:22 +0000 (UTC) References: <878rynh0yq.fsf@systemreboot.net> From: Tobias Geerinckx-Rice To: Arun Isaac Cc: guix-devel@gnu.org Subject: Re: Public guix offload server Date: Wed, 20 Oct 2021 23:06:05 +0200 In-reply-to: <878rynh0yq.fsf@systemreboot.net> BIMI-Selector: v=BIMI1; s=default; Message-ID: <87cznz74l5.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634766351; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=6ph7RJfSi6tpT1cmXdCkNkEY3+cUTdMVu39ILN7ppFk=; b=BlHz9Z89GEHoB1fR4Xeyc9V/ZFsaXUu60KJ7ZDyrtTlClEquN23oAf5AaWCd3qCBJzGegk X4mJmzCAs07u2y6rWB8DrbaaOG87cG6MmDWntTou5PPsdZWPGJZYI78VD6cUxEkWJwTDKN fdfZqea1li/nSn1ub6tdOXi/wI77ZNo9CcPOIj/bL4PsotHv6OqLkIBrowEfRxoVRRMTUW zgLxXHkA/7hn7+APdptMZe+P3/0ZZABg0swrist6A9o9Fp3tcLrzE0VeTT3/xRL4l0f2X0 2NBRrO3qhmFMzknN79fYEqyS2KVNfDHiTGwuSKgLgWKpYiK51jd+EoBKAAYeeg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634766351; a=rsa-sha256; cv=none; b=P1yUYROiEk5rUC/m9v2Yo5FX+pjuQhG2NfcF3ybvf8JrdNDxFE9cft0hTZfbaKwWvbxw2E cf04IOADRp3WMKNWANFUCwSchvi4u04K3oveWylkjDa11gH8q62ZZBNOI7eF4L3rzZ9hQB /QLpv+q2zJtDJXI1nh7+rpZlmp1Y72F9ZVnc29T1IbGDiz1zzzTJOlNaXz6inxsuOIaieh q+e+pV/1v/a1pzX9TuGtR0e2oDpPaNb/OMMWBRAQuLS23MyaF0CjDJH/BrwcpeCcRVPQ8Z GymPSlYVfYAjTfPQtQL33YlXCz/WRkexRhS1DsE3n77esB29lUerNZ858Hd5qQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=tobias.gr header.s=2018 header.b=NdG7jcSJ; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.63 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=tobias.gr header.s=2018 header.b=NdG7jcSJ; dmarc=pass (policy=reject) header.from=tobias.gr; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: EA0C129D38 X-Spam-Score: -5.63 X-Migadu-Scanner: scn1.migadu.com X-TUID: 7EvNG80tcnST --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hi Arun, Arun Isaac =E5=86=99=E9=81=93=EF=BC=9A > If security is a problem with a public access guix offload=20 > server, we > could make it semi-public and available at least to people with=20 > commit > access. Giving access only to people with commit access is a given, but=20 any shared offload server is a huge shared security risk. Guix is not content-addressed. Any [compromised] user can upload=20 arbitrary malicious binaries with store hashes identical to the=20 legitimate build. These malicious binaries can then be downloaded=20 by other clients, which presumably all have commit access. Now the attacker almost certainly has covert access to one or more=20 user accounts that can push signed commits to Guix upstream. > Currently, guix offload requires mutual trust between the master > and the build machines. If we could make the trust only one-way, > security might be less of an issue. It might! It's easy to imagine a second, less powerful offload=20 protocol where clients can submit only derivations to be built by=20 the remote daemon, plus fixed-output derivations. None of the=20 =E2=80=98let me send the entire binary toolchain so you don't have to=20 build it from scratch=E2=80=99 of the current protocol. This at least=20 removes their control over the source hash. At that point, one might consider dropping SSH account-based=20 access in favour of a minimal job submission API, and just return=20 the results through guix publish or so=E2=80=A6? OTOH, that's yet another= =20 code path. > WDYT? How does everyone else handle big builds? Do you have=20 > access to > powerful workstations? By waiting, and planning. I'm lucky to have a ridiculously=20 overpowered ThinkPad for its age and a newer headless tower at=20 home that can run builds 24/7, but nothing close to a =E2=80=98powerful=20 workstation=E2=80=99 by industry standards. Zzz, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYXCOBg0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15vZMA/AoGYFACzb4v56wqQ9D8j9uiq6Ohoz1sSa8gFDUY U16kAQDqeDf2HmAXi3XweEphNykAOKUrjdVTqSJqKuraz51vDg== =tsVt -----END PGP SIGNATURE----- --=-=-=--