From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id OCVUNVwyv2JVvQAAbAwnHQ (envelope-from ) for ; Fri, 01 Jul 2022 19:43:56 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id uM5XNVwyv2K2ngAA9RJhRA (envelope-from ) for ; Fri, 01 Jul 2022 19:43:56 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 866AB3BA13 for ; Fri, 1 Jul 2022 19:43:56 +0200 (CEST) Received: from localhost ([::1]:53428 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o7KgN-0007rC-O5 for larch@yhetil.org; Fri, 01 Jul 2022 13:43:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38032) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o7Kfy-0007bW-Kw; Fri, 01 Jul 2022 13:43:30 -0400 Received: from mail-wr1-x433.google.com ([2a00:1450:4864:20::433]:35710) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1o7Kfr-00037x-07; Fri, 01 Jul 2022 13:43:30 -0400 Received: by mail-wr1-x433.google.com with SMTP id b26so4253468wrc.2; Fri, 01 Jul 2022 10:43:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version; bh=Rfj6NHK6Gsm2hp38HBnu4JPmXIX9P/ZTz/U5zMm20BM=; b=M4fV0+I+KF31P8VH6+q+8NNZVjVS1ey0yHhowX2FcngxzOXHuyIdhrwe5yZ4aQgDdp iO+ot6JPR8v5YZv0sGUanOu2w3ymwHuvnjcNjSTHNvKRayb+NBuhuaL+QOoAtoTHQhX2 uq6gwrc3URUpVfm1KPwlN6hVl3BLj6J8F/c+lS3u+Wdeez+GyyGt45yAIexcQFYifA1J w6z4dyw1uZjHGuvAGRSG8HKFriIsl5jdsnAs4Js93v1FQOlSCOzlP20E2UMrrPTEAYTr 1VvppoW9414IzwL1SYUbrMXGfncxhDJTF4ALEgxJpT+qK2YC6Ihl7tm3nWnajfNTmpDP n2bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version; bh=Rfj6NHK6Gsm2hp38HBnu4JPmXIX9P/ZTz/U5zMm20BM=; b=QoyHJ/knw0Rq1l4pZtmFWYyvOFcvlputFHYtyTrwjdFbsbsAfwRYpGH4n2WmKNCh/+ +5ZvnGyKLbGAxwt2b+d77/k+x6ON26SHkeaCpolsMEbn2gJ4h0DJsWYtu8HvGrdK6mwx Ha5GaEiAXBUV2raYNLNyR2ZIGo7S9CyECH8Zft8AaFBzSPxI3GC7VS1EISWefS7IUjrA 03Wj+zZv8N6aKCs1XFey/QqRLwESkXW/jdE7h5CKxGabx7TziVxf1D+TxvTZj0gJioPn ZnDqRqWIabNgkqQbfem7TqKvaM3chumAqF4X2Fc6RG3FHj/+a0NsTk0p5+P/R8AFbf+B Soyg== X-Gm-Message-State: AJIora8R6Sc37gQfzKtjcz07ZwZMHE8kNQDDrNgaiyLUWzlvCXEVfOHe YqtrFPt1ZRqNPv1I82LCUJf77c5NEf4= X-Google-Smtp-Source: AGRyM1tWf+MIumoXh0x48MfmO2uLREENmD3uB511D9CLWD9QVWfCmI+2rwn/WMWS2Pdk+OAM44MZnA== X-Received: by 2002:a5d:55c7:0:b0:21d:407c:cf1b with SMTP id i7-20020a5d55c7000000b0021d407ccf1bmr8061686wrw.630.1656697400433; Fri, 01 Jul 2022 10:43:20 -0700 (PDT) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id g3-20020a05600c140300b0039c96b97359sm11220844wmi.37.2022.07.01.10.43.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Jul 2022 10:43:19 -0700 (PDT) From: zimoun To: bokr@bokr.com, Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel , guix-science@gnu.org Subject: Re: =?utf-8?Q?=E2=80=9CBuilding?= a Secure Software Supply Chain with =?utf-8?B?R05VwqBHdWl44oCd?= In-Reply-To: <20220630213735.GA9726@LionPure> References: <87zghu5jex.fsf@inria.fr> <20220630213735.GA9726@LionPure> Date: Fri, 01 Jul 2022 11:21:43 +0200 Message-ID: <87h741nq6w.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2a00:1450:4864:20::433; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x433.google.com X-Spam_score_int: -5 X-Spam_score: -0.6 X-Spam_bar: / X-Spam_report: (-0.6 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1656697436; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Rfj6NHK6Gsm2hp38HBnu4JPmXIX9P/ZTz/U5zMm20BM=; b=A23nLa6Ek65YxmmstjWssgk6fNlJHz+sOw7I762GQoP3viMGtApa+dbRx9RAM62BU7IeDi FBfRkT2tuLVLTFD+8I7utOl9YYKpnFHsrS5oYkCqS5QL3oztC98TxpiGmawlOMjnhBSVrO KQFS84pWYZx0nRvPCKbHYtZ9LfW35ZowmB/naVlyKxaT6LuOBbMZ/no/8Fef2XKy77Hgac 7hBhPELzt9DTWk6wFQvjRoZjSFWpZ8KOWdGl44KhMYNsY/3YHCzQzr1kwirlcG+PW9s+3k N9pxj2M0yukGBCX8UvBH0Mc3N165WQxlf4fFZTuHOoEBFDWuYysi3E8PAjiung== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1656697436; a=rsa-sha256; cv=none; b=uOsb2etDnDhYIv32yizDFck526x6sjAUhBGF1LsACObi/Ddo5cPhAZx//63mlrkeZnrmit qoNMfCo6haO3vTQQry+uIcSuZS1CVAyvEMBabfmIJkOTabuRjdC4i9difC5FaQGQbK9FW2 0WeOyEpVYIRETyzy1oxbsHadJe5C2QI6nS7e48VUacmkBk+/CcCuiAmvOuP6FmkFCvvUxw VaUGvFudCzcABSecqFw7IIwTP4bKEz6FxCSfVFu9EzQSHOWFe/jmifPzZEpEwEB3AbkM0o C36x8YWosNDVGRueEcsNAuaRCJxqgFqIqkmeE60rMgIimTm82FFJ5VsVnnTKdg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=M4fV0+I+; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.95 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=M4fV0+I+; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 866AB3BA13 X-Spam-Score: -3.95 X-Migadu-Scanner: scn1.migadu.com X-TUID: eBj2gx4pjALa Hi Bengt, On jeu., 30 juin 2022 at 23:37, bokr@bokr.com wrote: > I think IWBN to have some kind of trust code come with that git output, > like gpg's 1-5 but indicating how well the committer/signer trusts > that using the code will *not* cause a problem. Well, from my understanding, Guix is dealing with 4 sort of code: 1. Guix recipe of a package 2. Guix service 3. Guix itself 4. Upstream I do not think committers are pushing code about #1, #2 or #3 that they know beforehand it will cause a problem. Therefore, I do not see how it could be implemented without being rooted in committer feelings, opinion or self-confidence, i.e., highly variable from one committer to the other. The GPG trust level works because it is based on the web of trust. Here, there is no web, IMHO. Most of the security issues are from #4. Considering how hard it is to find and tackle the security issues, there is only two strategies, IMHO: do not trust which implies deep audit of distributed source code and so restrict the set of available packages (it is somehow an OpenBSD approach); or accept more packages which means somehow trust upstream, to some extent. However, all in all, it asks what is expected by the reviewing process, as discussed [1]. :-) 1: Cheers, simon