Re: Security of packages in official repo

[zimoun <zimon.toutoune@gmail.com>]

Hi,

On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:

> However, can anyone point me to, or explain - what is done to audit
> packages in the official Repo in the first place - i.e. how do I know
> that a piece of software supplied to me by Guix is not only
> delivered in a safe/reliable fashion, but is also free from malware potentially
> introduced by the authors/maintainers themselves?

Nothing.  It is about trust, as with any distribution.  Now, you can
audit by yourself the source code, compiled by yourself and check if it
is the same that the substitutes serve you.

  # get the source
  guix build -S foo

  # build (fetch substitutes by default)
  guix build foo

  # re-build
  guix build foo --no-grafts --check

And if the binaries are different, it means unreproducibility are
around; which implies weakness (unsafe is too strong).

Note “guix challenge” allows to compare what is build locally and
what is served by the build farm.

An experimental service is running to detect unreproducibility between
the different build farms.  For example scripts are floating around [1].

Moreover, if you are in paranoid mode, then you have to start to verify
the bootstrap chain and the initial binary seed; ~60MB in Guix if I
remember correctly and too much for Ubuntu and co.


1: <https://yhetil.org/guix-devel/86mu0rt95k.fsf@gmail.com>


> How are new packages or updates audited or reviewed before being accepted
> into Guix's official repo?
>
> It's a paranoid question I know - but it's a regular one on security
> audits to sign-off software use....  I know that nobody is going to audit
> every single line of code of every package, but knowing that some
> process exist is normally enough to satisfy the audit?

There is no formal process, AFAIK.  But since no one wants craps running
on their machine, we can guess it is informally done. :-)


> A similar question and fairly reassuring answer from the Ubuntu Security
> Team is given here - I was hoping to find something similar for Guix:
> https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited

I will not comment on this because it is a trap.  You have no insurance
(the ability to check) that the source code they audited corresponds to
the binary you fetch and then run.

Pedestrian video explaining that is here: <https://youtu.be/I2iShmUTEl8>

(Sorry, maybe the video is on a platform more respectful but I am too
lazy to search.)


AFAIK, Guix is one the most advanced tool to check paranoid questions.

Last, if you are talking about CVE and security updates, they are pushed
to master as soon as possible, IIUC.

Hope that helps,
simon