From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +JKfL8Uu4l78cQAA0tVLHw (envelope-from ) for ; Thu, 11 Jun 2020 13:16:53 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id eF13K8Uu4l5qFAAA1q6Kng (envelope-from ) for ; Thu, 11 Jun 2020 13:16:53 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 147AC9401CD for ; Thu, 11 Jun 2020 13:16:53 +0000 (UTC) Received: from localhost ([::1]:35110 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jjN4c-0007Qi-M8 for larch@yhetil.org; Thu, 11 Jun 2020 09:16:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58060) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jjN3q-0006kV-Rr for guix-patches@gnu.org; Thu, 11 Jun 2020 09:16:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52984) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jjN3q-0006Wj-H9 for guix-patches@gnu.org; Thu, 11 Jun 2020 09:16:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jjN3q-0001bi-Bh for guix-patches@gnu.org; Thu, 11 Jun 2020 09:16:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41767] [PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jun 2020 13:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41767 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 41767@debbugs.gnu.org Received: via spool by 41767-submit@debbugs.gnu.org id=B41767.15918813196110 (code B ref 41767); Thu, 11 Jun 2020 13:16:02 +0000 Received: (at 41767) by debbugs.gnu.org; 11 Jun 2020 13:15:19 +0000 Received: from localhost ([127.0.0.1]:36297 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jjN35-0001aR-Nv for submit@debbugs.gnu.org; Thu, 11 Jun 2020 09:15:19 -0400 Received: from mail-qk1-f193.google.com ([209.85.222.193]:38646) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jjN34-0001aC-JE for 41767@debbugs.gnu.org; Thu, 11 Jun 2020 09:15:15 -0400 Received: by mail-qk1-f193.google.com with SMTP id w1so5474362qkw.5 for <41767@debbugs.gnu.org>; Thu, 11 Jun 2020 06:15:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=UszQD1C2Bg1HNuECdsWBJFgzZk0Ks7dO4g7sCzFyp2M=; b=nwi/UdW+q1RD8sCVrK4rpCu6ijduj1Q12Pgyurf1i1zD5efAd7YArpt0+DSzeUiDPC NKW7pwyd3aqOVHjUjv89lknFoBLyaQZ8NAafnKngbaSBZwnpbEGBgTathNx0eECQgYp7 wy3KzeShds4mc5ZhvseiYc+xHjbNwbY8jtYRERQIlpYbEGb66+BjTFAxPNOaXJrZJ/Dv GBXvfZtEVy7ym9N2C5skyT2+sIUFKXX3pgv3jPp5f4JTENnFux18LGS9L5HgL2N4k+MZ 2cCASSrtxFGSxlGhqmzyXHT+TlpZYsDaCmdrSid5Yg9mZ9EqPZKRYdsVOs7YIgFImzzA Gi/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=UszQD1C2Bg1HNuECdsWBJFgzZk0Ks7dO4g7sCzFyp2M=; b=ri4OYQSEA9obiJ2CWImZ3bw/HcCK+y49GMlMbyBs46UMjzs/IUWBLKQvc9ZWtq4FF3 uOW8zmtFmpRzER090Ok4oT9UlaYM790POB4Wi/gchSMIiZBhpQ9VepQnys54yxs9uiJn 3NpjOcaN6tAkyD50VBki0rS06Mmgfj1djHxLCdTtQ+v1RfzId+QrcyisLEj36rk2nKBz pgnkNGj6BF5grqmRxkqjW/O44hIIXwigUVp38Thju5vQFxxYetR4p7OceuSdNgcXR1e9 Zay/UEmpmZNmaMgoGu4OJg2fGcsjc+OZ7N5MIDK7b3Y5JiuTqaBjKJ+vmnCu9YAg7uSU gSow== X-Gm-Message-State: AOAM531J23B3H0fq2q6y7JhWY93Sd10IFUSwZ+ee09pZZlREHzNLaQV+ HEHFKRmjZ4Hkz5oX+SOwID2TTfBj X-Google-Smtp-Source: ABdhPJynEZsqoS9SCkg6DLRQP7vDaXS2hk7orMS0CTglT45GWR0z8Vw/e/ZqQJp+eCm1btjbPNzpig== X-Received: by 2002:a37:c50:: with SMTP id 77mr1653510qkm.491.1591881308857; Thu, 11 Jun 2020 06:15:08 -0700 (PDT) Received: from hurd (dsl-10-149-60.b2b2c.ca. [72.10.149.60]) by smtp.gmail.com with ESMTPSA id i94sm2306745qtd.2.2020.06.11.06.15.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jun 2020 06:15:08 -0700 (PDT) From: Maxim Cournoyer References: <20200608220256.3267-1-ludo@gnu.org> <20200608220256.3267-4-ludo@gnu.org> <87v9k0i0yj.fsf@gmail.com> <87sgf2araw.fsf@gnu.org> Date: Thu, 11 Jun 2020 09:15:07 -0400 In-Reply-To: <87sgf2araw.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 11 Jun 2020 11:24:23 +0200") Message-ID: <878sgtd9r8.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=nwi/UdW+; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: jUaEJxghmIta Hi Ludovic, Ludovic Court=C3=A8s writes: > Hi Maxim, > > Maxim Cournoyer skribis: > >>> +(define %guix-channel-introduction >>> + ;; Introduction of the official 'guix channel. The chosen commit is= the >>> + ;; first one that introduces '.guix-authorizations' on the 'core-upd= ates' >>> + ;; branch that was eventually merged in 'master'. Any branch starti= ng >>> + ;; before that commit cannot be merged or it will be rejected by 'gu= ix pull' >>> + ;; & co. >>> + (make-channel-introduction >>> + "87a40d7203a813921b3ef0805c2b46c0026d6c31" >>> + (base16-string->bytevector >>> + (string-downcase >>> + (string-filter char-set:hex-digit ;mbakke >>> + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54F= A"))) >>> + #f)) ;TODO: Add an intro signature so it can be e= xported. >> >> The GnuPG key fingerprint is SHA1 derived, which isn't cryptographically >> secure. This doesn't mean fingerprints are unsafe *now* (given that >> forging a key to match it isn't currently practical), > > Fingerprints are used as an index in the keyring here. If somebody > introduced a second OpenPGP key with the same fingerprint in the keyring > and we picked the wrong one when verifying a signature, signature > verification would just fail. So I think it=E2=80=99s perfectly OK here. Agreed; thanks for pointing that out. I don't see a problem with our use of OpenPGP either then :-). [...] > The =E2=80=9CSHA-1 is a Shambles=E2=80=9D paper reads: > > The GIT developers have been working on replacing SHA-1 for a > while[16], and they use a collision detection library [SS17] to > mitigate the risks of collision attacks. > > [16] https://git-scm.com/docs/hash-function-transition/ > > On the Fediverse, someone pointed out that Bitcoin Core developers > compute a SHA512 hash of Git trees to mitigate it: > > https://github.com/bitcoin/bitcoin/tree/master/contrib/verify-commits > > What they do is add a =E2=80=9CTree-SHA512:=E2=80=9D line to commit logs = and check > those in =E2=80=98verify-commits.py=E2=80=99: > > # Check the Tree-SHA512 > if (verify_tree or prev_commit =3D=3D "") and current_commit not in incor= rect_sha512_allowed: > tree_hash =3D tree_sha512sum(current_commit) > if ("Tree-SHA512: {}".format(tree_hash)) not in subprocess.check_outp= ut([GIT, 'show', '-s', '--format=3Dformat:%B', current_commit]).decode('utf= 8').splitlines(): > print("Tree-SHA512 did not match for commit " + current_commit, f= ile=3Dsys.stderr) > sys.exit(1) > > We could do something similar, maybe optionally, but verification would > be expensive (you need to traverse all the blobs of the whole tree for > each commit being authenticated). > > At this point, I=E2=80=99d wait for Git=E2=80=99s SHA256 migration to hap= pen, though > doesn=E2=80=99t spec= ify an > ETA. Thanks for pointing that interesting workaround! I agree that given Git's plans to migrate to SHA256, it seems reasonable to wait for them to upgrade and spend our energy somewhere else. Your changes LGTM. Thank you, Maxim