Security of packages in official repo

Security of packages in official repo

[Phil]

Hi all,

I can find a few articles that give a good overview of Guix security
with regard to ensuring that what is pulled onto my local server is always a true
representation of the packages as intended by the package authors.

There's also a good process for alerting Guix of potential security issues.

However, can anyone point me to, or explain - what is done to audit
packages in the official Repo in the first place - i.e. how do I know
that a piece of software supplied to me by Guix is not only
delivered in a safe/reliable fashion, but is also free from malware potentially
introduced by the authors/maintainers themselves?

How are new packages or updates audited or reviewed before being accepted
into Guix's official repo?

It's a paranoid question I know - but it's a regular one on security
audits to sign-off software use....  I know that nobody is going to audit
every single line of code of every package, but knowing that some
process exist is normally enough to satisfy the audit?

A similar question and fairly reassuring answer from the Ubuntu Security
Team is given here - I was hoping to find something similar for Guix:
https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited


Thanks,
Phil

Re: Security of packages in official repo

[zimoun]

Hi,

On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:

> However, can anyone point me to, or explain - what is done to audit
> packages in the official Repo in the first place - i.e. how do I know
> that a piece of software supplied to me by Guix is not only
> delivered in a safe/reliable fashion, but is also free from malware potentially
> introduced by the authors/maintainers themselves?

Nothing.  It is about trust, as with any distribution.  Now, you can
audit by yourself the source code, compiled by yourself and check if it
is the same that the substitutes serve you.

  # get the source
  guix build -S foo

  # build (fetch substitutes by default)
  guix build foo

  # re-build
  guix build foo --no-grafts --check

And if the binaries are different, it means unreproducibility are
around; which implies weakness (unsafe is too strong).

Note “guix challenge” allows to compare what is build locally and
what is served by the build farm.

An experimental service is running to detect unreproducibility between
the different build farms.  For example scripts are floating around [1].

Moreover, if you are in paranoid mode, then you have to start to verify
the bootstrap chain and the initial binary seed; ~60MB in Guix if I
remember correctly and too much for Ubuntu and co.


1: <https://yhetil.org/guix-devel/86mu0rt95k.fsf@gmail.com>


> How are new packages or updates audited or reviewed before being accepted
> into Guix's official repo?
>
> It's a paranoid question I know - but it's a regular one on security
> audits to sign-off software use....  I know that nobody is going to audit
> every single line of code of every package, but knowing that some
> process exist is normally enough to satisfy the audit?

There is no formal process, AFAIK.  But since no one wants craps running
on their machine, we can guess it is informally done. :-)


> A similar question and fairly reassuring answer from the Ubuntu Security
> Team is given here - I was hoping to find something similar for Guix:
> https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited

I will not comment on this because it is a trap.  You have no insurance
(the ability to check) that the source code they audited corresponds to
the binary you fetch and then run.

Pedestrian video explaining that is here: <https://youtu.be/I2iShmUTEl8>

(Sorry, maybe the video is on a platform more respectful but I am too
lazy to search.)


AFAIK, Guix is one the most advanced tool to check paranoid questions.

Last, if you are talking about CVE and security updates, they are pushed
to master as soon as possible, IIUC.

Hope that helps,
simon

Re: Security of packages in official repo

[Ricardo Wurmus]

zimoun <zimon.toutoune@gmail.com> writes:

> Hi,
>
> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>
>> However, can anyone point me to, or explain - what is done to audit
>> packages in the official Repo in the first place - i.e. how do I know
>> that a piece of software supplied to me by Guix is not only
>> delivered in a safe/reliable fashion, but is also free from malware potentially
>> introduced by the authors/maintainers themselves?
>
> Nothing.

It’s a little more than nothing in some cases.  For example, there was
extensive work to gain confidence that Ungoogled Chromium does not phone
home.  Generally, anti-features such as update checkers that phone home
are patched out.

We generally take the code as is, however, and don’t assume that every
bit of free software out there is malware in disguise until it is
demonstrated beyond reasonable doubt that this is not the case.  That
would neither be feasible nor would it guarantee satisfactory results.

-- 
Ricardo

Re: Security of packages in official repo

[zimoun]

Hi Ricardo,

On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rekado@elephly.net> wrote:
> zimoun <zimon.toutoune@gmail.com> writes:
>> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>>
>>> However, can anyone point me to, or explain - what is done to audit
>>> packages in the official Repo in the first place - i.e. how do I know
>>> that a piece of software supplied to me by Guix is not only
>>> delivered in a safe/reliable fashion, but is also free from malware potentially
>>> introduced by the authors/maintainers themselves?
>>
>> Nothing.

The correct quote is: «Nothing.  It is about trust, as with any
distribution.» 

> It’s a little more than nothing in some cases.  For example, there was
> extensive work to gain confidence that Ungoogled Chromium does not phone
> home.  Generally, anti-features such as update checkers that phone home
> are patched out.
>
> We generally take the code as is, however, and don’t assume that every
> bit of free software out there is malware in disguise until it is
> demonstrated beyond reasonable doubt that this is not the case.  That
> would neither be feasible nor would it guarantee satisfactory results.

Even if I agree and your complement makes totally sense, and for sure I
thank a lot all the collectively tough work done, I still claim that
“you do not know that a piece of software supplied to you by <name-it>
is free from malware potentially introduced by <whatever>”.  The only
way to know is to audit yourself, compiled yourself using a toolchain
that you audited yourself.

Therefore, it is about trust.

The question is: what does Guix do to be trust-able?  I think all the
code around speaks by itself.  And personally I trust people doing that
job and then pushing to Guix.


Cheers,
simon

Re: Security of packages in official repo

[Ricardo Wurmus]

zimoun <zimon.toutoune@gmail.com> writes:

> Hi Ricardo,
>
> On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rekado@elephly.net> wrote:
>> zimoun <zimon.toutoune@gmail.com> writes:
>>> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>>>
>>>> However, can anyone point me to, or explain - what is done to audit
>>>> packages in the official Repo in the first place - i.e. how do I know
>>>> that a piece of software supplied to me by Guix is not only
>>>> delivered in a safe/reliable fashion, but is also free from malware potentially
>>>> introduced by the authors/maintainers themselves?
>>>
>>> Nothing.
>
> The correct quote is: «Nothing.  It is about trust, as with any
> distribution.»
[…]
> Therefore, it is about trust.

Certainly, I do not disagree.  When someone does extra work to audit the
code and nobody is there to witness it … “does it make a sound”?  :)

All dilligence here is trust with extra steps, but it still is
trust-based.

-- 
Ricardo

Re: Security of packages in official repo

[zimoun]

Hi Ricardo,

On Thu, 26 Nov 2020 at 22:10, Ricardo Wurmus <rekado@elephly.net> wrote:

> Certainly, I do not disagree.  When someone does extra work to audit the
> code and nobody is there to witness it … “does it make a sound”?  :)

Thoughtful as a Chinese koan. :-)  I am so grateful for all this extra work.

Cheers,
simon

Re: Security of packages in official repo

[Phil]

Thanks for the reply Simon.

zimoun writes:

> Nothing.  It is about trust, as with any distribution.  Now, you can
> audit by yourself the source code, compiled by yourself and check if it
> is the same that the substitutes serve you.

I understand that Guix makes the process of reproducability and auditing
much more rock-solid than most other distributions - and this more than
satisfies any requirements I have for proving that software package X,
is a true representation of source code X, built with toolchain Y.

This is great - but my question is more mundane than that.

The good news is I think it's answered here:
https://guix.gnu.org/manual/en/guix.html#Submitting-Patches

Say I have a new piece of software I've developed and I want to make it
available through Guix's offical repo.  I define a new Guix package for
that app - and create a patch for it.

The important point is that the patch is vetted by the members of
guix-patches@gnu.org mail list.  And I assume packages which appear
inappropriate for whatever reason are not accepted by members of this
list?

This is different to PyPi for example where (I believe) anyone can upload
any content and have the public downloading it immediately without any
approval or vetting - it's pretty Wild West.

This makes some institutions unwilling to give students/employees/etc
access to systems like PyPi... but on other systems where there is a
degree of scrutiny required (such as patch vetting on Guix) - this can
make a world of difference in terms of getting a tick in the right box.

Whether there is wisdom or any real protection is a separate question
of course (nobody will guarantee every line of every source repo!), but
nevertheless from a practical point of view, it can prove useful in
getting software like Guix adopted - which is what I'm keen to do.

As a workaround it would seem perfectly possible to host a private Guix
channel with a subset of packages on that have been internally vetted,
but it would be more in the spirit of Guix to contribute and use the
official package repo.


Thanks - hopefully I haven't overly laboured my point!

Phil

Re: Security of packages in official repo

[zimoun]

Hi,

On Thu, 26 Nov 2020 at 19:07, Phil <phil@beadling.co.uk> wrote:

> The important point is that the patch is vetted by the members of
> guix-patches@gnu.org mail list.  And I assume packages which appear
> inappropriate for whatever reason are not accepted by members of this
> list?

Anyone can subscribe to guix-patches and discuss the patches.  Give a
look at:

   <http://issues.guix.gnu.org/>

However, a set of restricted people have commit access and so push code
which is compliant with the GNU standards.


> As a workaround it would seem perfectly possible to host a private Guix
> channel with a subset of packages on that have been internally vetted,
> but it would be more in the spirit of Guix to contribute and use the
> official package repo.

Yes, custom Channels [1] is the way to deliver variants.  Well, it is up
to the channel maintainer to set the rules of the very channel; for
instance, provide or not non-free software.  Therefore, the Wild West
could happen to some custom Channels.

1:  <https://guix.gnu.org/manual/devel/en/guix.html#Channels>


All the best,
simon