From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id ENCRDKB/lGKzaQEAbAwnHQ (envelope-from ) for ; Mon, 30 May 2022 10:26:08 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id oC+JC6B/lGKZFQAA9RJhRA (envelope-from ) for ; Mon, 30 May 2022 10:26:08 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 972A63D220 for ; Mon, 30 May 2022 10:26:07 +0200 (CEST) Received: from localhost ([::1]:35962 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nvaj0-0002Tu-NB for larch@yhetil.org; Mon, 30 May 2022 04:26:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44404) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nvahx-0002Sb-JO for guix-devel@gnu.org; Mon, 30 May 2022 04:25:01 -0400 Received: from mail-wr1-x42a.google.com ([2a00:1450:4864:20::42a]:46947) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nvahs-0007sH-5Q for guix-devel@gnu.org; Mon, 30 May 2022 04:25:01 -0400 Received: by mail-wr1-x42a.google.com with SMTP id d26so7970227wrb.13 for ; Mon, 30 May 2022 01:24:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:in-reply-to:references:date:message-id:mime-version :content-transfer-encoding; bh=5JzVy6ai2R4TyvnG1/93DplxFiQWdVIaTpNoIaw2Gxk=; b=Y9JvU0rdUeEnBgS31gRpQxmgdn3EgS6DSEh3g7wqaQTAPXgyP4i1QuqbO7ii98PeoA WwEIVrKFVkPtYnFBFlfkhnnTY6eA+geU6asSKqDLiuWbQy9Nnyl5qXzpYrO7//Il4coE IvNitamGmsysCh6rIvDT2f71156isGafaGCkQEnA0sWUoIIZWNLQvVUDGKZhh3jCGu03 VTKcBo3+xVIQNOgRYRAzYXd/ZQBbD0oeeos6OhgAy5pYyGAmDNxzoBwPJzjgc+QD27u3 xVQpd4xFsFO4LGPD4hxftboXutXaFhd9Ckd/J+rAERxTwZnrhg9OmT3Ek4SZA6u5Uwb+ 4CiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=5JzVy6ai2R4TyvnG1/93DplxFiQWdVIaTpNoIaw2Gxk=; b=s/HPPvzz3z7PbCZOc/JC6qeKjzHpJfBqHMH9PJLFnuqOCd/ktOD6IJHz2zD2zMaQdf 2Ufs/S9daoKjhI1Pzq+k7vCSHkHRs3jiPuR623i4Si0V2E4erwmEKLMwhwU0uHDW3C3F 4vv4PbHc64FrVrsp08lhRJLPjUSv6hBx4DsRK4ObLjMce4XUvtVwfBnCvLgyyqoMPcSz GcliCXaDgUNEAVpxd7682Htr+U9OyooO534aQaStfV/LdUDPCDIdA9Yi9g1ziPjiugHx SgWpO8WvbuL88J95laVXa5leUJRw5JHJz/2aPYQWe9CoWs+TPteJTtu/WnazVC83nEYp Hkhg== X-Gm-Message-State: AOAM531JQyV+h36lAAmsWZXOPLTcE1z8spQkB94DxXER5nRXbn9ag+0n lDVhoBz/xcdrQSNxj9LSgSXxhD72J+Y= X-Google-Smtp-Source: ABdhPJyoi+G8RqHPQfHEqetaZUT9LIMbXDqN8ckGSF2rSPRCsQ5nyp0kItaf4X2wbJqxkq4p8NDT7w== X-Received: by 2002:a05:6000:78f:b0:210:1f3:a69 with SMTP id bu15-20020a056000078f00b0021001f30a69mr19358466wrb.4.1653899094160; Mon, 30 May 2022 01:24:54 -0700 (PDT) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id j13-20020a05600c1c0d00b00397243d3dbcsm10222350wms.31.2022.05.30.01.24.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 May 2022 01:24:53 -0700 (PDT) From: zimoun To: kiasoc5@disroot.org, guix-devel@gnu.org Subject: Re: auth-tarball-from-git In-Reply-To: <34a12bbaae833ce9f53a106ea2108da3880cd3de@disroot.org> References: <34a12bbaae833ce9f53a106ea2108da3880cd3de@disroot.org> Date: Mon, 30 May 2022 10:17:45 +0200 Message-ID: <87zgizbfiu.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::42a; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x42a.google.com X-Spam_score_int: 0 X-Spam_score: -0.1 X-Spam_bar: / X-Spam_report: (-0.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_OTHER_BAD_TLD=1.997, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1653899167; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=5JzVy6ai2R4TyvnG1/93DplxFiQWdVIaTpNoIaw2Gxk=; b=fh8v2uRC/AANO7Lxbw/xMxV5uU0t8/8X+nzXzhrlzga0Sbmge0UfkDt3dcBYXeCqKDqWXo yg1syUOPFr1noi6fQAi7V5YYk1qoDHGdTngkNctIc94fKaiIVFf9mHUEzGtMumHmqZFauV vnlhAOIxgip2KWj4etJXf7K6fph7m4zmdqenEpndBiku8MdcfBWv5m9ImnK5xz+FlM1MDJ cvVm8eYVu7CplslCTzcq2L2nTOur0Cg0hBKoZAedAacC1T36PAkudwGLQ0CnwNEizj8hCI 4SkAC4Tm3Igo79ksTUJSFhlHLp2IMTCNNjtym7Z0OuNJyhIL2WKRf3N6P1FfUw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1653899167; a=rsa-sha256; cv=none; b=g09QhQxKVguxSvR1QWYseTkaKFNhgPRcvi3ZqsM9Wl5lDalq5qN03gH21380mLuTsQw1Rz 6Xg3HcO3pkg7G5EnISpVyrNM9hoe79fvILkwJB7GpKY8qaCB/CJhg8Kf8d8VyYQSzqZf4f WB2ZXXAfpX4PYovMqDnOSr6ufabmfmdHDm6ZjBylD63s2AbWEPARPtYJsek5iVjEVxRWpm 15iHl7ffKHnZLUUC3pKotRI3CzWVAUkibWntG/wwViCcd1u6kC5yiV71Tu0Dn71zwuU0z1 lfrjcvpNlNV764klXSZWZ1j2kCCb2G5KSrO1FuShsOrUeIBW7TiAFuJFe+1dCg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=Y9JvU0rd; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.03 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=Y9JvU0rd; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 972A63D220 X-Spam-Score: -3.03 X-Migadu-Scanner: scn1.migadu.com X-TUID: Dc+ypbczA4iw Hi, On lun., 30 mai 2022 at 01:45, kiasoc5@disroot.org wrote: > Authenticate a tarball through a signed tag in a git repository (with rep= roducible builds). > > Blog post: https://vulns.xyz/2022/05/auth-tarball-from-git/ In this post, it reads: Personally - if I had to decide between these two - I=E2=80=99d pre= fer the later because I can always try to authenticate the pinned tarball later on,=20 which is the case for Guix. Even, Guix is somehow already implementing this third way because each commit modifying a package is signed. From the post, the file =E2=80=99chrisduerr.pgp=E2=80=99 and =E2=80=99kchibisov.= pgp=E2=80=99 are the Guix committer keys [1]. (Hum, I do not understand what this means: but it=E2=80=99s impossible to know for sure which source code has = been used if all I know is =E2=80=9Csomething that had a valid signature= on it=E2=80=9D. but that=E2=80=99s another story. :-)) Well, in this frame about security, the question is: who trusts who? I do not think that the addition of an automatic signature check of source code=E2=80=99s author key enforces more security for Guix users. It adds m= ore complexity and does not fix the current bottleneck of trust: the Guix packager and Guix committer. Other said, if you do not trust the Guix packagers and Guix committers, then you have to personally check the authenticity of the source code. Using an automatic process with data from Guix packages or Guix committers contradicts the assumption =C2=AByou do not trust them=C2=BB. Therefore, it does not fix the current weakness. However, such =E2=80=99auth-tarball-from-git=E2=80=99 can be of high intere= st when Submitting Patching [2]: 2. If the authors of the packaged software provide a cryptographic signature for the release tarball, make an effort to verify the authenticity of the archive. For a detached GPG signature file this would be done with the gpg --verify command. Cheers, simon 1: 2: