From: zimoun <zimon.toutoune@gmail.com>
To: kiasoc5@disroot.org, guix-devel@gnu.org
Subject: Re: auth-tarball-from-git
Date: Mon, 30 May 2022 10:17:45 +0200 [thread overview]
Message-ID: <87zgizbfiu.fsf@gmail.com> (raw)
In-Reply-To: <34a12bbaae833ce9f53a106ea2108da3880cd3de@disroot.org>
Hi,
On lun., 30 mai 2022 at 01:45, kiasoc5@disroot.org wrote:
> Authenticate a tarball through a signed tag in a git repository (with reproducible builds).
>
> Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/
In this post, it reads:
Personally - if I had to decide between these two - I’d prefer
the later because I can always try to authenticate the pinned
tarball later on,
which is the case for Guix. Even, Guix is somehow already implementing
this third way because each commit modifying a package is signed. From
the post, the file ’chrisduerr.pgp’ and ’kchibisov.pgp’ are the Guix
committer keys [1].
(Hum, I do not understand what this means:
but it’s impossible to know for sure which source code has been
used if all I know is “something that had a valid signature on
it”.
but that’s another story. :-))
Well, in this frame about security, the question is: who trusts who? I
do not think that the addition of an automatic signature check of source
code’s author key enforces more security for Guix users. It adds more
complexity and does not fix the current bottleneck of trust: the Guix
packager and Guix committer.
Other said, if you do not trust the Guix packagers and Guix committers,
then you have to personally check the authenticity of the source code.
Using an automatic process with data from Guix packages or Guix
committers contradicts the assumption «you do not trust them».
Therefore, it does not fix the current weakness.
However, such ’auth-tarball-from-git’ can be of high interest when
Submitting Patching [2]:
2. If the authors of the packaged software provide a
cryptographic signature for the release tarball, make an effort
to verify the authenticity of the archive. For a detached GPG
signature file this would be done with the gpg --verify command.
Cheers,
simon
1: <https://git.savannah.gnu.org/cgit/guix.git/tree/.guix-authorizations>
2: <https://guix.gnu.org/manual/devel/en/guix.html#Submitting-Patches>
next prev parent reply other threads:[~2022-05-30 8:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-30 1:45 auth-tarball-from-git kiasoc5
2022-05-30 8:17 ` zimoun [this message]
2022-05-30 16:21 ` auth-tarball-from-git Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zgizbfiu.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=guix-devel@gnu.org \
--cc=kiasoc5@disroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).