From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id IKfcBnSAImaH1gAA62LTzQ:P1 (envelope-from ) for ; Fri, 19 Apr 2024 16:32:20 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id IKfcBnSAImaH1gAA62LTzQ (envelope-from ) for ; Fri, 19 Apr 2024 16:32:20 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=io+9nsxE; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1713537140; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=RoAdEra83je18avY1wdphXyg62IQYMVLNCS0ZLSG8W0=; b=XHi0DMnR9FLM5BDWSkOsYEPs6zrLzWg12G5Wzx/jxARuCH5kzyx/glcVYG6ZtdTsC3wyAu jz7szqXLOzyqsJVH822LHPpNGS7xm5vGGdno1K/XbEXu5QVWmic+92xZQopOsDQVav/AJr q0jQoAawejGDfyZ3yRaP4linsP3nrQBoJPhiy9b4+gazy0FApPCbB53cUgpiZ20QFhUe6W EyjjeBdmSI6XnFShVIPBI9s8taubm1wU7rXMI27rI0EyL5B6sKymVV+M3O3rywSgY5Mvj1 25dJetlTYjq3yULGLz5UBt9jbbPq/s2QJfiwFWd0aWtZUy/cUz/FmIpe95Pbkg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=io+9nsxE; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1713537140; a=rsa-sha256; cv=none; b=es/TW4UrHkJzgh/bGLNk+g6qff6QkIrPDtxoHFOy2hkyEfexUW7ONx6IYYFydhXfxbyAyj GRAbrl+XYPODXRmmY5DOea2SWsrNusWaoWHsc+IVm1VA98e+ZTJihouRKdmQJ5PLAybrV2 q0KnKUQySfJA9D0gVU94Z50x5cDODBdKau9ZGiKl2x8jogMUeBUracouE5gM59/NqNkK3g I5oSpTDaX1ERbz4NcsoexfkrqKJFvLrcpz0lRBZZeG71m//lAvCjifFMki1d3RFF6JuFv0 4mbpBeOc/lpfW5ax+Wr5hQz1f7ynw6P/ol2NEfvXsnNBzb4yFS6T90W5QEJmiA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BE7513968 for ; Fri, 19 Apr 2024 16:32:19 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxpHG-00073E-DZ; Fri, 19 Apr 2024 10:31:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxpHE-000734-Og for guix-devel@gnu.org; Fri, 19 Apr 2024 10:31:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxpHA-0000Ve-Sl; Fri, 19 Apr 2024 10:31:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=RoAdEra83je18avY1wdphXyg62IQYMVLNCS0ZLSG8W0=; b=io+9nsxEu3ofYxQ8XxbB hk0M9OCQlCG+ynZWXSyumEgrdidIoPEVr2rJh6rsWdXhdOCmW14E+4ysAfyfIdFy9bb8ZVcEvWX/A 3UEg19m1hw7Ls6PBZgM9mB67zcFuWSCczOksZrVWoxyk/XdTMq1BFhWvuHkvuGK6jXvH0DrUe7lXW 9ETgQAcyuVC15Hy6jQu1YVYHfWMGjnKXx8TPiCQyqKU1OBQQMnWBgYDdIuXGTXjh7Jld+z4M7CTZ1 We0nbEFaWvMq9xLIBEj/F4rQMavemwl0DACIGC9PRr+3x2f+QxOQEgMSHHZ4VUm5hVzh04PVYCKvy /4tDbtZ+wI9qzQ==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Skyler Ferris Cc: Andreas Enge , Ekaitz Zarraga , Attila Lendvai , Giovanni Biscuolo , Guix Devel Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) In-Reply-To: (Skyler Ferris's message of "Sat, 13 Apr 2024 00:14:17 +0000") References: <87ttkon4c4.fsf@protonmail.com> <8734s1mn5p.fsf@xelera.eu> <87zfu9ku4l.fsf@xelera.eu> <6e743725-26f0-669c-b088-e56c850110c8@elenq.tech> <87wmp5l3r3.fsf@gnu.org> <8076578a-bebd-0f26-6d39-f634ded290ce@elenq.tech> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Primidi 1 =?utf-8?Q?Flor=C3=A9al?= an 232 de la =?utf-8?Q?R=C3=A9volution=2C?= jour de la Rose X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 19 Apr 2024 16:31:37 +0200 Message-ID: <87edb1e852.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -9.07 X-Migadu-Scanner: mx11.migadu.com X-Spam-Score: -9.07 X-Migadu-Queue-Id: BE7513968 X-TUID: DL+eo6cpcEhW Hi, Skyler Ferris skribis: > In short, I'm not sure that we actually get any value from checking the=20 > PGP signature for most projects. Either HTTPS is good enough or the=20 > attacker won. 99% of the time HTTPS is good enough (though it is notable= =20 > that the remaining 1% has a disproportionate impact on the affected=20 > population). When checking PGP signatures, you end up with a trust-on-first-use model: the first time, you download a PGP key that you know nothing about and you authenticate code against that, which gives no information. On subsequent releases though, you can ensure (ideally) that releases still originates from the same party. HTTPS has nothing to do with that: it just proves that the web server holds a valid certificate for its domain name. But really, the gold standard, if I dare forego any form of modesty, is the =E2=80=98.guix-authorizations=E2=80=99 model as it takes care of key di= stribution as well as authorization delegation and revocation. https://doi.org/10.22152/programming-journal.org/2023/7/1 Ludo=E2=80=99.