From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 8HoUDd7wcWGxLgAAgWs5BA (envelope-from ) for ; Fri, 22 Oct 2021 00:59:42 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id +IS7CN7wcWGpKwAAB5/wlQ (envelope-from ) for ; Thu, 21 Oct 2021 22:59:42 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E980212F7E for ; Fri, 22 Oct 2021 00:59:41 +0200 (CEST) Received: from localhost ([::1]:39186 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mdh2D-0001iL-05 for larch@yhetil.org; Thu, 21 Oct 2021 18:59:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48680) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdh1n-0001gS-OQ for guix-devel@gnu.org; Thu, 21 Oct 2021 18:59:16 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:33080) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdh1k-00069Q-Sl for guix-devel@gnu.org; Thu, 21 Oct 2021 18:59:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=Oig/IXVbDLzK6 Z1XL1IVwdTjX/7yfVIcFzagyNhBSoY=; h=in-reply-to:date:subject:cc:to: from:references; d=tobias.gr; b=gGtxDCKHeyWLolNcT2eEkvjwFyHoqCzA/hIEEa xCO5K0OtzKxnLTZSPb0G8HT87S/2x2sRd2JDvPhLCUVbCrzk6pLJ42XYg5vhCeBUO21ai3 Jb4Tglff35qd1wRhHedMaweTJcU0iBOYs7RSa3QCi0icJ5XNhaQwU5SkA5s8PKGdHmuIN1 9oit4arOob9quOQY8B9u2rh6O5CSBS5yc3P7aMsKkwfobBv52O1Wf4KzV2gYjeaNQN8oNw hZR+qolXLzGds7mMknsO4XSfUzhKJkk6tPsuX4+XRS9Eu1T3lQdO6dbF66DEiXyBj5+nGq vSCwz4lum6uFOAUoll4KIhPg== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id bcd2055e (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 21 Oct 2021 22:59:04 +0000 (UTC) References: <864k9a2r1m.fsf@gmail.com> <878rynh0yq.fsf@systemreboot.net> <87cznz74l5.fsf@nckx> <864k9ag5k0.fsf@gmail.com> <87a6j272oz.fsf@nckx> <14fcfe6c31dab2128746730df72caba0@libre.brussels> <867de611ya.fsf@gmail.com> From: Tobias Geerinckx-Rice To: zimoun Cc: Jonathan McHugh , guix-devel@gnu.org Subject: Re: Public guix offload server Date: Fri, 22 Oct 2021 00:16:17 +0200 In-reply-to: <867de611ya.fsf@gmail.com> BIMI-Selector: v=BIMI1; s=default; Message-ID: <87mtn256it.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634857182; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Oig/IXVbDLzK6Z1XL1IVwdTjX/7yfVIcFzagyNhBSoY=; b=PgPLRDyfmLmR4a5P+8PpLwa/bPrM2A2a5mOxAhIwmEY2cvzZ68avgP8QGOW3I3uCMhg+VC 1BMX1CZuknIhImspRhXGP8Ymf85pJ8WNbT+Cqwj2WfT1N9dgV/wqSYZOAeqXEk4zcueVuH kXnoEvR8nmQspzyfww9qiBcHk2MAyOfZVaI/h0cXTaR7Fc4qNox20/5KUIJK2mxXWWzL3a TmqWc/8VboEk5kvoK40LVww4Xf8LShfpBnCzayqkx1Kx+KIaLMTX9P9nEE3NPpq4lCtubG 3BYuewJdgKuwozKL2/2pwpxi1ZmApEQDBn15DNlnry2OzonELAhtk9w511aU0g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634857182; a=rsa-sha256; cv=none; b=g2rKIWox+sco7ltTGDkLp2W99Uc9GNsXMLY6oyGsun+uGuAsBaCvBNekjkMd10penAV0mx sg1kuZe2rhSPg+9tO6gRBQ9jIARN34jVd23BwjOeLwDgQqASD3xfbPwNlb0swLDXbf9CHC OMNowGkoGnI4X+MCiTsNu+T1DcGQ1CAIGftIeYkVeldiSS6MHGF1SASuZeFinMZCBKQouN c/ZTIEvFWaBGYty4/YhK2EL3DpCDr7Qy6XFM8rdes3MRB8NHeMMzsJ/GHi8NGOMmKpBAd7 1NRwYryCZzpceCO66OWeZVDnX9HFzx4uqfcg/558yK9uxg/i9BIbjlma8AitnQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=tobias.gr header.s=2018 header.b=gGtxDCKH; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.73 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=tobias.gr header.s=2018 header.b=gGtxDCKH; dmarc=pass (policy=reject) header.from=tobias.gr; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: E980212F7E X-Spam-Score: -4.73 X-Migadu-Scanner: scn0.migadu.com X-TUID: EeB8+S/lzid2 --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable All, zimoun =E5=86=99=E9=81=93=EF=BC=9A >>> Do you mean that trusted users would try WM-escape exploits? >> The world has been formed by warewolves inside communities=20 >> purposely >> causing harm. Looking further back, Oliver the Spy is a classic >> examplar of trust networks being hollowed out. So=E2=80=A6 > I cannot assume that on one hand one trusted person pushes to=20 > the main > Git repo in good faith and on other hand this very same trusted=20 > person > behaves as a warewolves using a shared resource. =E2=80=A6li'l' sleepy here, bewarned, but before this gets out of hand: I=20 never implied direct abuse of trust by committers. I don't=20 consider it the main threat[0]. There are the people you meet at FOSDEM and the users who log into=20 machines. Both can be compromised, but the latter are much easier=20 and more likely to be. Such compromise is not laughable or hypothetical: it happens=20 *constantly*. It's how kernel.org was utterly owned[1]. Trusting people not to be evil is not the same as having to trust=20 the opsec habits of every single one of them. Trust isn't=20 transitive. Personally, I don't think a rogue zimoun will=20 suddenly decide to abuse us. I think rogues will abuse zimoun the=20 very first chance they get. That's not a matter of degree: it's a whole different threat=20 model, as is injecting arbitrary binaries vs. pushing malicious=20 code commits. Both are bad news, but there's an order of=20 magnitude difference between the two. > For sure, one can always abuse the trust. Based on this=20 > principle, we > could stop any collaborative work right now. The real question=20 > is the > evaluation of the risk of such abuse by trusted people after=20 > long period > of collaboration (that=E2=80=99s what committer usually means). Isn't that the kind of hands-up-in-the-air why-bother=20 nothing's-perfect fatalism I thought your Python quote (thanks!)=20 was trying to warn me about? ;-) Zzz, T G-R [0]: That's probably no more than an optimistic human flaw on my=20 part and =E2=80=98disgruntled ex-whatevers=E2=80=99 are probably more of a = threat=20 that most orgs dare to admit. [1]: I know, ancient history, but I'm working from memory here.=20 I'm sure it would be trivial to find a more topical example. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYXHwug0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15mCIBAOhqBPQwzaf1H5yycLRlsNhsGnAmjVdjLGq/4/jD BRVHAQC+/wTp3yudgJVRdiJTLjmthzXeDam9VpYe3Su++LFyBw== =SKxf -----END PGP SIGNATURE----- --=-=-=--