From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id wGZxIWXSv18YVAAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 16:05:57 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id gHpCHWXSv18WcgAA1q6Kng (envelope-from ) for ; Thu, 26 Nov 2020 16:05:57 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F0F85940416 for ; Thu, 26 Nov 2020 16:05:56 +0000 (UTC) Received: from localhost ([::1]:57616 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kiJmN-00055A-Rm for larch@yhetil.org; Thu, 26 Nov 2020 11:05:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37934) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiJmA-00052b-V2 for help-guix@gnu.org; Thu, 26 Nov 2020 11:05:42 -0500 Received: from mail-wm1-x32c.google.com ([2a00:1450:4864:20::32c]:53108) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kiJm9-0007WA-2S for help-guix@gnu.org; Thu, 26 Nov 2020 11:05:42 -0500 Received: by mail-wm1-x32c.google.com with SMTP id 10so2597245wml.2 for ; Thu, 26 Nov 2020 08:05:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:in-reply-to:references:date:message-id:mime-version :content-transfer-encoding; bh=vS0I/EQvmmHoxNQgN3MY+f6+fYEIzdFMbtIBlIEqfsQ=; b=HUNLjY7ZEvXX5aY6gP8K0Ph98bIk4LLtWH4RMEinr+NEgAb8sBzE659zy4uoql7uyk 5Br7BwiETVJv84nOPAlsbM4x6Z2lcAdxv8TSq4h8gM0mZlDgeDIl/d0k2Kypc0qESeDP wjwrHGp/KA4vMo9vKq+3kUga+Kxty8cVffm/8tg3EChJIivmqmUWOJ20SoKqzw75VjqV O/8GGUiFbHpbrt/dNYXonr+z64zBRYrQklnP0XLW5jD7nkjzI//TiahZvhsRyPGzaqyb xSsAAnDeHDetUXTdbG8Lb9calGuJzn0Xd3N+1G60RtYCUrOuDhlj/jc0gw3RvlqSxh1F 2L0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=vS0I/EQvmmHoxNQgN3MY+f6+fYEIzdFMbtIBlIEqfsQ=; b=Le5BsgNngbe+sEkaZYnivSozH+vX9Xx62jUVTKCYpIGiNxG0XatSPR6ad1PVMZLt/8 o7XdZ9zxPIMW/JGwcy4H63hQZWmu8xgzBq+VPDq8XRWlfmHAiPEC/RyN6PSRaptJZmdT B+0+LQw+ThqyHjxQTfTgCsyJtzVJZw70X9qFuFQOmOvNr2Zx1GQ49JlFcMpi+zriAhx7 fpaiLGH/l31s2Htlqcuo2nnbkb7I3m+CEm/A60lPds63gAooYKE2N+MVe2ezqHMzQ1CI lZAgGKVFq+1zd9kHlJs8ri6FPuDKpVgNI/W20Y6asXiLhWmmaI12CxBZ5oC0+dpt51YW dOtw== X-Gm-Message-State: AOAM532d0z1cFkdvHOVfYZOpAGB8rWsfssKrXxsr0v89cBKU2pM3vic5 UQ2HiA74/8oTg3lQYEd+tJ6rvaNxEeTrZg== X-Google-Smtp-Source: ABdhPJxENJC+ZzmSGt28xMeqM1Luq2HctATrnTAHBsKq9t7ad181OmF5lRIZXIou6TDdm96BnvltAw== X-Received: by 2002:a1c:e3d4:: with SMTP id a203mr4131593wmh.177.1606406739186; Thu, 26 Nov 2020 08:05:39 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id c5sm9807162wrb.64.2020.11.26.08.05.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 08:05:38 -0800 (PST) From: zimoun To: Phil , help-guix@gnu.org Subject: Re: Security of packages in official repo In-Reply-To: <855z5sqoxm.fsf@beadling.co.uk> References: <855z5sqoxm.fsf@beadling.co.uk> Date: Thu, 26 Nov 2020 17:01:46 +0100 Message-ID: <86eekgrtsl.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::32c; envelope-from=zimon.toutoune@gmail.com; helo=mail-wm1-x32c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: inc X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=HUNLjY7Z; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -0.21 X-TUID: SMO7uOrWwtOZ Hi, On Thu, 26 Nov 2020 at 12:32, Phil wrote: > However, can anyone point me to, or explain - what is done to audit > packages in the official Repo in the first place - i.e. how do I know > that a piece of software supplied to me by Guix is not only > delivered in a safe/reliable fashion, but is also free from malware poten= tially > introduced by the authors/maintainers themselves? Nothing. It is about trust, as with any distribution. Now, you can audit by yourself the source code, compiled by yourself and check if it is the same that the substitutes serve you. # get the source guix build -S foo # build (fetch substitutes by default) guix build foo # re-build guix build foo --no-grafts --check And if the binaries are different, it means unreproducibility are around; which implies weakness (unsafe is too strong). Note =E2=80=9Cguix challenge=E2=80=9D allows to compare what is build local= ly and what is served by the build farm. An experimental service is running to detect unreproducibility between the different build farms. For example scripts are floating around [1]. Moreover, if you are in paranoid mode, then you have to start to verify the bootstrap chain and the initial binary seed; ~60MB in Guix if I remember correctly and too much for Ubuntu and co. 1: > How are new packages or updates audited or reviewed before being accepted > into Guix's official repo? > > It's a paranoid question I know - but it's a regular one on security > audits to sign-off software use.... I know that nobody is going to audit > every single line of code of every package, but knowing that some > process exist is normally enough to satisfy the audit? There is no formal process, AFAIK. But since no one wants craps running on their machine, we can guess it is informally done. :-) > A similar question and fairly reassuring answer from the Ubuntu Security > Team is given here - I was hoping to find something similar for Guix: > https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audi= ted I will not comment on this because it is a trap. You have no insurance (the ability to check) that the source code they audited corresponds to the binary you fetch and then run. Pedestrian video explaining that is here: (Sorry, maybe the video is on a platform more respectful but I am too lazy to search.) AFAIK, Guix is one the most advanced tool to check paranoid questions. Last, if you are talking about CVE and security updates, they are pushed to master as soon as possible, IIUC. Hope that helps, simon