From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id sOxAE6kB+2T/XAEAauVa8A:P1 (envelope-from ) for ; Fri, 08 Sep 2023 13:12:41 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id sOxAE6kB+2T/XAEAauVa8A (envelope-from ) for ; Fri, 08 Sep 2023 13:12:41 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CE6305232B for ; Fri, 8 Sep 2023 13:12:40 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=wolfsden.cz header.s=mail header.b="E/zyy+gu"; dkim=pass header.d=wolfsden.cz header.s=mail header.b="E/zyy+gu"; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=wolfsden.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1694171561; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Zu1b31+KG4BmONFtR/LbU3M2Few98cdx8Vo5Ox91EOA=; b=bMnvPfaJzGg8ql3genF7oYNb/c6Uey5tybF6muD+I1J31JYPsCmXcilr0V6RnsgrgR+s/J +lks2/JAD6WA5EfoutkmuVE3+OVRJ5dXUtyb6yLg/3goVvgjfTygWyJBIJ9YtQS6aa7vNy kryR7UL+ioaE9udivI7K2yZVgYx9Z8J/8isvwnx2Rtyg2iUgcefCrXhoYDjbgVPakLUdWe pSsd95UMcW+c9jAAs5Pzu1RpJV5NaY57RzvQs7FQuHbdn5XKZ0CIXUvJw8kmQdCUZyjYYY HKYPbN45cozrCXj6+3Qd16HSeWaUqCpI1nmn2D0iQCRu3DgOVgCmtzuDtVhmTg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694171561; a=rsa-sha256; cv=none; b=NoK9swfbQTjn6JVFiAE1smEb4BzAagWcth7dzLZemeGhz0sB0Zg5KEAKOExmXRjmKd9xik riAA82lbQUWR23hDGJ9qOhT8vsNQsKohwu6+ciRotAXOXVzEsnO7XH5v98+AVJtDnY/nYr jYfplyY1W2Yxip+11YNYhfVYFgMI7E/eJumSjqOJCUAEm1nwyoOPrITKnCS82Wka7o/pl+ rRPhn1uX0Um/QHBl4JVUawCa+3R12fK9Fctz4wJxLOoi4gG9qESTMr+wMMcQy+T3MKENOa qzafvez8n0Cq6c66oGHUQTJJoZnRhmv3SQ5LfatXZBanj1Uqc2cVLLLJ47rXBw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=wolfsden.cz header.s=mail header.b="E/zyy+gu"; dkim=pass header.d=wolfsden.cz header.s=mail header.b="E/zyy+gu"; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=wolfsden.cz Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qeZPF-0007xx-GS; Fri, 08 Sep 2023 07:12:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeZP8-0007rU-1A for guix-devel@gnu.org; Fri, 08 Sep 2023 07:12:02 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeZP2-0006Tv-Eo for guix-devel@gnu.org; Fri, 08 Sep 2023 07:12:00 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id A9DBE2594B3; Fri, 8 Sep 2023 11:11:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1694171509; bh=bHua6V1JkLwklqdqxMXE+y0VkHtPn+ralfJZKPxoWYQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=E/zyy+guuPi9TrR8TbY3C7W6qayTtBIccFQoNyGfSAwKWZClQl2K0bRvCARPrAKo4 1fWrUvWgDMf1jFG6Uv0IewMM4GqUxrRfbfPi/CtFdDy4ioNJE5DCKkY5wnrCJSRTA0 r9leJN5+j98onQQnDrtIEDyLKDBPjCXrP3/0ZnvzXe0Bsb2Imj2syqkW5pbNdZeQss wIIdEo9jNyy5Qu5YQQ33p0J2zIilHVI6P47Cmwzv3wY9nyYECCepnEM7psHr01e8Pu 4jQo4pHIY9fWxsAqv+MU6l3oCSsUYxOCs+0NsSk2WQmPHp11FnU/nLLgpw0uQzs1HI WhZE1TxnkVtJBrseE7Z415ko1E7LoQirDFY2zmULewoPyD+leL1sRRWT8rEttPXNlJ h8DaTqihsyMy1j9trmMDvvGr6gkGG9erUC/udSR1W4bdRcAa8qP1JDslMqhcnkJHUr S6sTBfYtNpKSfaxEqNrpm7v/L846GSzbXPjWNPb8RVqRxW4KsinZZrL9PNPm+mZshW qSQZxjMucsd8iRmT4pUZ9flWuH3WJfdLN4imM3Zg9DenLUMR2Lg4SeSfjqD29v/05F QCvSC0DEyjia8mnj5s91+6uEFr1zgo184YGQ4sj3k5/gzPW0dTKddcf6BkBVYezFTL wqge2tD1/y/UlTxTf4/BCYUw= Received: from localhost (unknown [193.32.127.144]) by wolfsden.cz (Postfix) with ESMTPSA id EF725259D07; Fri, 8 Sep 2023 11:11:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1694171509; bh=bHua6V1JkLwklqdqxMXE+y0VkHtPn+ralfJZKPxoWYQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=E/zyy+guuPi9TrR8TbY3C7W6qayTtBIccFQoNyGfSAwKWZClQl2K0bRvCARPrAKo4 1fWrUvWgDMf1jFG6Uv0IewMM4GqUxrRfbfPi/CtFdDy4ioNJE5DCKkY5wnrCJSRTA0 r9leJN5+j98onQQnDrtIEDyLKDBPjCXrP3/0ZnvzXe0Bsb2Imj2syqkW5pbNdZeQss wIIdEo9jNyy5Qu5YQQ33p0J2zIilHVI6P47Cmwzv3wY9nyYECCepnEM7psHr01e8Pu 4jQo4pHIY9fWxsAqv+MU6l3oCSsUYxOCs+0NsSk2WQmPHp11FnU/nLLgpw0uQzs1HI WhZE1TxnkVtJBrseE7Z415ko1E7LoQirDFY2zmULewoPyD+leL1sRRWT8rEttPXNlJ h8DaTqihsyMy1j9trmMDvvGr6gkGG9erUC/udSR1W4bdRcAa8qP1JDslMqhcnkJHUr S6sTBfYtNpKSfaxEqNrpm7v/L846GSzbXPjWNPb8RVqRxW4KsinZZrL9PNPm+mZshW qSQZxjMucsd8iRmT4pUZ9flWuH3WJfdLN4imM3Zg9DenLUMR2Lg4SeSfjqD29v/05F QCvSC0DEyjia8mnj5s91+6uEFr1zgo184YGQ4sj3k5/gzPW0dTKddcf6BkBVYezFTL wqge2tD1/y/UlTxTf4/BCYUw= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id b8238bef; Fri, 8 Sep 2023 11:11:48 +0000 (UTC) Date: Fri, 8 Sep 2023 13:11:48 +0200 From: wolf To: Wojtek Kosior Cc: Josselin Poiret , Simon Tournier , Nicolas =?iso-8859-1?Q?D=E9bonnaire?= , guix-devel@gnu.org Subject: Re: Building from git Message-ID: Mail-Followup-To: Wojtek Kosior , Josselin Poiret , Simon Tournier , Nicolas =?iso-8859-1?Q?D=E9bonnaire?= , guix-devel@gnu.org References: <87ledikx1u.fsf@gmail.com> <87ledht4he.fsf@jpoiret.xyz> <20230908114756.61b28cf2.koszko@koszko.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="yfzZX7lu2KBBGZn9" Content-Disposition: inline In-Reply-To: <20230908114756.61b28cf2.koszko@koszko.org> Received-SPF: none client-ip=37.205.8.62; envelope-from=ws@wolfsnet.cz; helo=wolfsden.cz X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx2.migadu.com X-Spam-Score: -9.91 X-Migadu-Queue-Id: CE6305232B X-Migadu-Spam-Score: -9.91 X-TUID: /gv/uV761IAk --yfzZX7lu2KBBGZn9 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2023-09-08 11:47:56 +0200, Wojtek Kosior wrote: > Hello Josselin >=20 > > wolf writes: > >=20 > > > Hmm, but the recipe for the authenticate rule comes from the (possibl= y) > > > compromised source, no? So the attacker can just modify the recipe i= nstead of > > > the command going the authentication. Am I missing something? =20 > >=20 > > You can use a previously trusted guix to do the authentication. `make > > authenticate` is here for committers to check that their commits are all > > properly signed before pushing (it's used as a pre-push hook). >=20 > From my understanding of the documentation, `make authenticate` is not > just for committers but for all people who do a `git pull` in Guix tree > and want to verify that the newly pulled commits do come from the > committers. It it is not the case, then the documentation should > probably be modified to make it clear. >=20 > The recipe is not from an untrusted source mecause the Makefile is not > tracked by git. Rather, it gets generated when first building Guix. And > =E2=80=94 as the documentation instructs =E2=80=94 the initial checkout g= ets > authenticated with `guix git authenticate` rather than with `make > authenticate` so it can't get compromised that easily. >=20 > Had someone managed to serve us a commit that adds another Makefile > with a backdoor, git would report a conflict upon pulling. I believe > this is what the implementors had in mind. Please clarify if this is > wrong. Yes, I believe this reasoning is wrong. Even ignoring the fact that people might run git clean or use worktrees, you can just attack the Makefile.am. = I created a new commit in my checkout: commit b3b378ad8f725f16be0602113e7f2d2afd89a920 (HEAD -> master) Author: x Date: Fri Sep 8 11:04:44 2023 +0000 =20 this commit is so not signed and valid =20 diff --git a/Makefile.am b/Makefile.am index 922913355c..e5f7c37491 100644 --- a/Makefile.am +++ b/Makefile.am @@ -883,10 +883,7 @@ channel_intro_signer =3D BBB0 2DDF 2CEA F6A8 0D1D = E643 A2A0 6DF2 A33A 54FA GUIX_GIT_KEYRING =3D origin/keyring authenticate: $(AM_V_at)echo "Authenticating Git checkout..." ; \ - guix git authenticate \ - --keyring=3D$(GUIX_GIT_KEYRING) \ - --cache-key=3Dchannels/guix --stats \ - "$(channel_intro_commit)" "$(channel_intro_signer)" + echo "Don't worry, your checkout is just fine... :)" =20 # Assuming Guix is already installed and the daemon is up and running,= this # rule builds from $(srcdir), creating and building derivations. guix git authenticate fails, as expected: Authenticating commits 9edb3f6 to b3b378a (1 new commits)... [######################################################################= ########]guix git: error: commit b3b378ad8f725f16be0602113e7f2d2afd89a920 l= acks a signature The missing new line after ] is somewhat meh, but it correctly fails. Howe= ver make authenticate does pass: $ guix shell -D guix guix --pure -- make authenticate cd . && /bin/sh /home/wolf/src/guix/build-aux/missing automake-1.16 --= gnu Makefile Makefile.am:896: warning: AM_GNU_GETTEXT used but 'po' not in SUBDIRS cd . && /bin/sh ./config.status Makefile depfiles config.status: creating Makefile config.status: executing depfiles commands Authenticating Git checkout... Don't worry, your checkout is just fine... :) I mean, if make authenticate is just for the convenience of the committers,= then this is completely fine. But the documentation does not currently read that way. >=20 > I do see 1 loophole here, though. One could serve a compromised > makefile under the name "GNUmakefile" and `make authenticate` would > happily choose it over the non-compromised "Makefile". I was planning > to start a new thread about it for some time... but this one seems like > a just as appropriate place to mention the issue. >=20 > It shouldn't be hard to fix. It boils down to having ./configure create > a GNUmakefile as well. Perhaps as a symlink to the original Makefile? >=20 > Best, > Wojtek >=20 > -- (sig_start) > website: https://koszko.org/koszko.html > fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A > follow me on Fediverse: https://friendica.me/profile/koszko/profile >=20 > =E2=99=A5 R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ=3D=3D | =C3=B7 c2luIHNlcGFyY= XRlZCBtZSBmcm9tIEhpbQ=3D=3D > =E2=9C=9D YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ=3D=3D | ? U2hhbGwgSSBiZWNvbW= UgSGlzIGZyaWVuZD8=3D > -- (sig_end) >=20 >=20 > On Fri, 08 Sep 2023 11:10:37 +0200 Josselin Poiret wrot= e: >=20 > > Hi, > >=20 > > wolf writes: > >=20 > > > Hmm, but the recipe for the authenticate rule comes from the (possibl= y) > > > compromised source, no? So the attacker can just modify the recipe i= nstead of > > > the command going the authentication. Am I missing something? =20 > >=20 > > You can use a previously trusted guix to do the authentication. `make > > authenticate` is here for committers to check that their commits are all > > properly signed before pushing (it's used as a pre-push hook). > >=20 > > Best, W. --=20 There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors. --yfzZX7lu2KBBGZn9 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmT7AXQACgkQL7/ufbZ/ walh4Q//dyW8PTcbgtQgnfYeHOUB5eqs28B9Hdo2MqTbJP3EHvay1XfesVZ0ZNKM XXsex0KdRvuiqmQqqgi0baVkhirnoIj9FLuKhhglltZJNee2OG1UHpahjK8uZER6 2v9lE14lN2wgU0nKek0e5TAJqmBiJEoTsPSqqpEHqFIw2vuVxaweOrKL/1IzjbTj fLPD6CG68CB2o/v4xw9Y3fDwxzwBirPu1UDk1QMJSlWvmlLxeTKqtuf59JPEltSn SbliMcVzp8SDAemDJA/o3lt3Wtx9bo4trHTWsttowBOO5kS4isL9LWmOS7gGj9gV Cu3n+jMeLnpKkXnouNi66+U/6TfIsFt2cMsMUQxnAFt4HkAB/SBDz0x/+TzMJ9Sq XOsXuUKoAlszH9G9DVemg9c4fyq3dWyzqGUioOAy9+XH71wiKfK/COQII1hgzq8d bz1Htf1jOskhxBK80DpflOWaQQUfScC1Xspey7WF8wKz/GsQXbk+YeNDSjAgu6jy Zo4vbMVaheaxvTHDxO9dThhVa3lhgSpZonIrloK5b4HS16YDCWXRJWDNhvjgzal8 B65b+ZmgRWK1wTkdDVzAnkJK5wkU0lnVL7QSzKLj5LkKVmuk9BOLOVKgZahysb5Z R24DA+I7A+odwoxYMrQX6QVFajWYWi2VjJDWFhtdR43jhTEJ3JM= =aGCH -----END PGP SIGNATURE----- --yfzZX7lu2KBBGZn9--