From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id +GDvKtMjbWFqeAAAgWs5BA (envelope-from ) for ; Mon, 18 Oct 2021 09:35:47 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 6BSlJtMjbWHsYwAAB5/wlQ (envelope-from ) for ; Mon, 18 Oct 2021 07:35:47 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6972EFF76 for ; Mon, 18 Oct 2021 09:35:47 +0200 (CEST) Received: from localhost ([::1]:55310 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mcNBS-0008Iy-Ks for larch@yhetil.org; Mon, 18 Oct 2021 03:35:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48248) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcNB1-0008Io-LL for guix-devel@gnu.org; Mon, 18 Oct 2021 03:35:19 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:9347) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcNAz-0007jw-IT for guix-devel@gnu.org; Mon, 18 Oct 2021 03:35:19 -0400 IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AnWLbWqkhqsxGf1dVmJ/f74pJbVDpDfJZ3DAb?= =?us-ascii?q?v31ZSRFFG/Fw+PrDoB1273LJYUgqNk3I8OroUMK9qBjnmqKdj7N6AYuf?= X-IronPort-AV: E=Sophos;i="5.84,326,1620684000"; d="scan'208";a="534434567" Received: from unknown (HELO ribbon) ([193.50.110.252]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Oct 2021 09:35:13 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Liliana Marie Prikler Subject: Re: Tricking peer review Message-ID: <87o87mdc1d.fsf@inria.fr> References: <874k9if7am.fsf@inria.fr> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 27 =?utf-8?Q?Vend=C3=A9miaire?= an 230 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 18 Oct 2021 09:34:57 +0200 In-Reply-To: (Liliana Marie Prikler's message of "Sat, 16 Oct 2021 00:03:22 +0200") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634542547; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=up5QPVXiBkiyPz5aYGesC4nsD6VaLnppg99/oxfpvZA=; b=IiKZyseJz5iFgXO5RNxzYP/gDtWjRtus1vO8E1XyxuE9iMt2I0TwekcVDwI57+psTmw28j UqBHKW2FdTdcIcDQy09vqmPJK9ujLUqA78WUs13v8RhjYLwHxVhneL/6JbC1+Rj3W/2QYi 6GBEi+xlAITpR0UdFzRAcaiD5U8GKEQhL7ZtvBiyT595enP/j6bJKGY80UkHtruWcsiOvv 8rei7Hu464m+2nXT6BzaaCS+aCN2fvMt7F2okjHnmbZuegyKkZMJ88LeW4ymi4mbkuBchJ axsxt1uKbrVOi9tyB1eE37PpHdSgy7iXwmp/lA0Rpld0CHuuhovAiD6r9yzbYg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634542547; a=rsa-sha256; cv=none; b=SzTfPot9n4RTo2diVknm35Kd6jnPISHCo9efKjqJE4nNyFk6NfxyaZD7g9a+9IwOXJaV4E qzIG8oppDnjuSFQEVmB74Jq4B+7CNcGyIc2F7IDwSA2VioOAW5k0masyomZZdelhlML4L1 MswXmgvafnhusDZ9aPCWP/HbDta1Qw0na3DYsrLxEqa6axmPponaZqvbxI1RO/00VND8dz sf3f4j396SCm+YcF8yckab8oldgreM8J4E2Ti0qrzfOaadiVQFdPBkXOwBD7WcMj/4HZxj sYWDJLN5dBNiHfl6MS+F9vdwFda8YdGYcwEzMMMEJnyN6jUzYr0UPeZ7EejwpQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 6972EFF76 X-Spam-Score: -2.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: HHQu/b5gIiwY Moin! Liliana Marie Prikler skribis: > Am Freitag, den 15.10.2021, 20:54 +0200 schrieb Ludovic Court=C3=A8s: [...] >> It=E2=80=99s nothing new, it=E2=80=99s what I do when I want to test the= download >> fallbacks (see also =E2=80=98GUIX_DOWNLOAD_FALLBACK_TEST=E2=80=99 in com= mit >> c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it >> could somehow be abused to have malicious packages pass review. > I don't think this is much of a problem for packages where we have > another source of truth (in this case mirrors/archives of sed), but it > does point at a bigger problem when SWH is our only source of truth.=20 > I.e. when trying to conserve such software for the future, when other > archives might fail and perhaps SHA256 itself might be broken, we can > no longer be sure that the Guix time-machine indeed does what it > promises. At the time a package is committed, its source is normally not downloaded from SWH=E2=80=94at least that=E2=80=99s what we aim for, and = =E2=80=98guix lint=E2=80=99 warns against 404 source URLs. So when the package is reviewed and committed, people can check the origin of the source, verify it against published signatures when possible, and so on. >> Also, just because a URL looks nice and is reachable doesn=E2=80=99t mea= n the >> source is trustworthy either. An attacker could submit a package for >> an obscure piece of software that happens to be malware. The >> difference here is that the trick above would allow targeting a high- >> impact package. > Again, less of an issue w.r.t. review because the reviewers can at > review time check that the tarball matches their expectations. I > personally find "I can't find this source anywhere but on SWH" to be a > perfect reason to reject software in the main Guix channel, though > perhaps that rule is a bit softer in Guix Past. Right. SWH is a fallback, meaning that, eventually, most source gets downloaded from there (because the original hosting sites vanish); but again, at the time of review, source must be available elsewhere. >> On the plus side, such an attack would be recorded forever in Git >> history. > On the minus side, time-machine makes said record a landmine to step > into. That=E2=80=99s one way to look at it; the same could be said of unpatched vulnerabilities found in old versions. It remains that deploying from a pinned Guix revision has its uses. [...] > I agree, that cross-checking =E2=80=9Cguix download=E2=80=9D might be goo= d praxis for > review. Reviewing includes at least building the package, thus downloading its source, and running running =E2=80=98guix lint=E2=80=99. So there=E2=80=99= s nothing really new here I guess, > Perhaps in light of this we should extend it to Git/SVN/other VCS? Thanks, Ludo=E2=80=99.