From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id iPt+Km8ZH1/HSAAA0tVLHw (envelope-from ) for ; Mon, 27 Jul 2020 18:14:07 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id EDIpJm8ZH18MLAAAbx9fmQ (envelope-from ) for ; Mon, 27 Jul 2020 18:14:07 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 05ABD94062D for ; Mon, 27 Jul 2020 18:14:06 +0000 (UTC) Received: from localhost ([::1]:50110 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k07dV-0007xr-QA for larch@yhetil.org; Mon, 27 Jul 2020 14:14:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58720) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k07dN-0007xL-5v for guix-devel@gnu.org; Mon, 27 Jul 2020 14:13:57 -0400 Received: from mail-qt1-x842.google.com ([2607:f8b0:4864:20::842]:36949) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1k07dL-0001NN-Dk; Mon, 27 Jul 2020 14:13:56 -0400 Received: by mail-qt1-x842.google.com with SMTP id d27so12931105qtg.4; Mon, 27 Jul 2020 11:13:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4f7kxAtMcQQ2D98JzJuDAbpcXAhiwr/cyC/nHt4PEQ8=; b=hS5iVpwWSmh8Ka6QFhatuGV89olp6UFmkFFz9gFmO4gndTbfgo8aQfO1GOkF2jS+rw 16owuOi5G0KuBepjufK3tACCkRXmeCkiCVDFbO9CerpdABaCmlp7XYtWu8Ib/O9IlmXm PPG1XXxkqS8CJjrN676eJqDjLOJQ7/GPosiSpML/Fn5i8sT/3yq3faV+lKU1ivAfvGoc JOnjP6MbbJ8C5aPlqLF2wbilC1+Sd0zfHcqQadPxhTVpraVo7iHypUSy+W3QmN/oYBOd IWxBsvr/UzlAttp7SG5w/uMZn/SVpiTdodiUuAkNRsPFdHlsaM9lROVN0oixAnmSLO6U WBjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4f7kxAtMcQQ2D98JzJuDAbpcXAhiwr/cyC/nHt4PEQ8=; b=rgMmQ5Obol1vt22Ot6zStZOSYY5msvGrK/7CnckHlDTHZ+0FVCzaLlzDhtDiMzEQBR /1l3h6zSGCclOzL9PobhUy1oySHyo7t/aFKC7nW6Sjd/+c3VIIfFVKj7jL7Dns2X5d+k l324GMRV6qym8LgZdeX1H6sOAu1v/KUx0jdhwHLVWE66bvZoCpZBuJmzrqVBSLpMZ79k KiJpUjjQ3c5VGnvxzeUl3jY7Cb0tQIv4lrHUE7in5IQEYtXGL8hs6EVJCi4kfNp3M9Sf f7t2xurM3heb8WAIUQ/HsLlwUzQ8cuNXQkBSbVyUrsHh4T1wyfdJrfBUg5QIJ/ebO9Kh aD8g== X-Gm-Message-State: AOAM531cTf8i+1WbFJiMZYyvd9fRy7YYJ1bs25UAXPTdqpx0XCd6ETBX hZpxPvjhMDEPnyXOvMelry644KAj3lsOchBN6yW2Sf1A X-Google-Smtp-Source: ABdhPJxZUUB4BzS4gRzDPKjznPjvzHuWWAv+HNH6a/fLvjTMbKri/VJbHbypzY2Xw7I85BRGd++Ed8QZbCMrOw8/93M= X-Received: by 2002:ac8:4f46:: with SMTP id i6mr23675658qtw.186.1595873633272; Mon, 27 Jul 2020 11:13:53 -0700 (PDT) MIME-Version: 1.0 References: <87blk6wkug.fsf@europa.jade-hamburg.de> <87ime9w23i.fsf@gnu.org> In-Reply-To: <87ime9w23i.fsf@gnu.org> From: zimoun Date: Mon, 27 Jul 2020 20:13:39 +0200 Message-ID: Subject: Re: Securing the software distribution chain To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::842; envelope-from=zimon.toutoune@gmail.com; helo=mail-qt1-x842.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=hS5iVpwW; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: dW2BZI8vZ1ig Dear, On Mon, 27 Jul 2020 at 14:54, Ludovic Court=C3=A8s wrote: > Of course we could have additional tools to make use of that info, say > =E2=80=98guix build -S --authenticate=E2=80=99 or something. But that wo= uld still be > optional. What do you mean? The command "guix build -S" returns the tarball (where non-free code is removed). Therefore, this hypothetical and optional "--authenticate" would authenticate against who? The user who runs the command; well I am not sure it is an useful use-case. The build farm which would authenticate substitutes, but the commits are already signed so it would not add some trust > Note that =E2=80=98guix refresh -u=E2=80=99 and =E2=80=98guix import gnu= =E2=80=99 (and maybe other > importers too?) take care of tarball authentication already. =E2=80=98gu= ix > download=E2=80=99 could share part of the mechanism. I agree it would be= nice. [...] > On a related note, and perhaps that=E2=80=99s what you mean by =E2=80=9Cp= arts of the > artifact changing=E2=80=9D, see the discussion on authenticating source c= ode > archived at Software Heritage: > > https://sympa.inria.fr/sympa/arc/swh-devel/2016-07/msg00009.html > https://forge.softwareheritage.org/T2430#46046 > https://issues.guix.gnu.org/42162#4 > > Content-addressing is nice, but not very useful if each tool (IPFS, SWH, > Git, Guix) has its own way to address content=E2=80=A6 Well, the challenge seems here. First transition from url-fetch signed tarballs to authenticable content-addressed code such as signed git-fetch and second be able to bridge the different address contents. Or let fall in the trap [1]. :-) 1: https://xkcd.com/927/ All the best, simon