From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: `guix pull` over HTTPS Date: Sat, 11 Feb 2017 14:25:38 -0500 Message-ID: <20170211192538.GA9077@jasmine> References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org> <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87inoh660r.fsf@gnu.org> <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42838) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ccdIo-0003TZ-2d for guix-devel@gnu.org; Sat, 11 Feb 2017 14:25:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ccdIi-0004DD-VJ for guix-devel@gnu.org; Sat, 11 Feb 2017 14:25:46 -0500 Content-Disposition: inline In-Reply-To: <871sv44x97.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Court=E8s wrote: > Marius Bakke skribis: > > I think pinning the public key could work, if the Savannah > > administrators are aware of it. But we'd need a reliable fallback > > mechanism in case the private key needs to be updated. >=20 > Yeah, sounds fragile. My attitude about improving the security of `guix pull` can be summarized as "The perfect is enemy of the good". Unless we control the server that provides the default `guix pull` source, I don't think we should try pinning a key. I don't want to take the risk that `guix pull` breaks permamently because something gets messed up on Savannah. If `guix pull` breaks in a way that requires users to to do `guix pull --url=3Dfoo`, then we will have failed, in my opinion. I'd rather try an incremental approach, for example: 1) Fetch code over HTTPS instead of HTTP 2) Think about hosting our own infrastructure and pinning a key (but ideally we don't have to trust the Git repo infrastructure) 3) Verify Git commit signatures 4) Think about building a set of trusted PGP keys and verifying Git=20 commit signatures against this set=20 =2E.. or something like that. > > I think having a separate 'le-certs' package that can verify the Lets > > Encrypt chain sounds like the easiest option. Presumably new > > intermediates etc will be known well in advance. >=20 > That sounds more reasonable to me. Do you know what it would take to > get the whole LE chain in such a package? Would you like to give it a > try? It's a good idea; let's try it. However, I think that pulling code over HTTPS using a certificate store like nss-certs or from the host distro is a huge improvement over what we have now. If we can do that sooner, we should. WDYT? --82I3+IH0IqGh5yIs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlifZS8ACgkQJkb6MLrK fwjdvA//b8G+7i9lEeW7eeX7E08+jCybo4dKcyzK87i9Lp5S09N4UGa9spUkRKIP X7Gal9ZbgNl3YHlrypjukJXfnxqZdOnGizINZg4yUEOaDml/+XQma2kyKL086NdO 5DIcHPpD3dh/0xtHZ8EJ22ZlZgWwQNUUDWBr69co0FVcgJzmfXjBgUFmwVjk+M7p Xem4uM2gtbRwmqQ0M6zFDuv5hwpNkcjnROeTLPRYX3/rVKbIXCKTS7/lKv4dKUlr J8w3k2ALekQRdbYJhnuZtRXm4luyBxkiWElnWXXfK++JbGx5xtl9SzkwQgGXC0Lm GYa9oMN+8DCWjvluPt92JycmuzkyjIApsup16NDHYciDleAdkemhoDsCmbG8ABtc xQsyaFsxPpkUw1RHRMpGa9X6SJYw4wbzl2ARhq+6Zrs3qOV8UuCODy3XxmGznp6+ aXcuIhRk1h5AaAfpOe5uKOf5rR2uswXKeW5n8yedPc69lEet+VbTFTEsbfJbi39J HU16dgs1Hr8xAi0v/g+R1sJeUJFECGqTubUoo5Mtp/kNYooYEqrBfam/U7HyGZXk /XEDccCBL/vULmqTQy8xviKWeSL/lB16za5LzbbDs1i2+gzoQ+kPinER+/frL2l2 pOSlkSixjtiWQlFeH4W6+/38/Dc754O1nOiSohJscHhHJjMFwG8= =k++3 -----END PGP SIGNATURE----- --82I3+IH0IqGh5yIs--