From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 0MmcLQTu+mSsZgEAauVa8A:P1 (envelope-from ) for ; Fri, 08 Sep 2023 11:48:52 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 0MmcLQTu+mSsZgEAauVa8A (envelope-from ) for ; Fri, 08 Sep 2023 11:48:52 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9B9E450A55 for ; Fri, 8 Sep 2023 11:48:52 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=koszko.org header.s=mail header.b=gkV4hpgr; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1694166532; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=KKl1XevfTynss1OqxWLqfGlXsWtAXXuvcNOtb8Xo9yE=; b=KxwQ0NF/9QPn2VnLUu4NjtHLMK30OC/cZqlQgTV2t0X4prp6+f9NoRm5C0fDGuWCkcoQbW p0K0dP4b1S/cLuE07xxTsCQIYG00sWdnG2PpfM4DfXCuROqHRlg9h3wu7uil5gG7urwp/9 aZMAt+WQaOACI+uC95XTj1OC5sDUgGHFJdr1nSML2MyYLfABX+UTrI5+BqVr/rq8dkLNDv z5FzskflcLOnwkbMkGz7UKzVSRk7evNOGr8gttBDCxsPqDfu9A5P7zvWbf21WKmr4wNSxQ hHRJiKsAzMhHLrN/6zOy8kMLk7RVRF/N2k2FtFyLiO7rlGy3wGO70ybPk6Cuqg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1694166532; a=rsa-sha256; cv=none; b=LtVPAc3JYRww/E0MGnkM3rMIYY/iIgYxxKsBJDB95HZKzu+cZq/c1uxwOOLO/R+dM9iLVp l+0xAa/byti4O+4eTTgmrfxoW1E3jRT8LqEy36fuGllAM9qqnPQa8EqRPBTX6C+4rqwEeJ EdOD/h+NPB5i3EdJbY/s44hH8MEDeID7+qizRYVyx8Ea3JRwwScR2nMpmyuEOKExCh5adw IfojRBSY0IK7dFo/YqtZRh+E7TCRhjD8waSUvg9vBLp/A/55631H5EYfJyZ+6TgKcQShkt qa9ikIen/+hwDfJMGjGDvYLxJ5nNNekixwDTWk2Zgf1oi/iibD6K/MHXAQ3G3Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=koszko.org header.s=mail header.b=gkV4hpgr; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qeY63-0003TS-VB; Fri, 08 Sep 2023 05:48:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeY60-0003TC-Kc for guix-devel@gnu.org; Fri, 08 Sep 2023 05:48:12 -0400 Received: from koszko.org ([93.95.227.159]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qeY5w-0003e9-P6 for guix-devel@gnu.org; Fri, 08 Sep 2023 05:48:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=koszko.org; s=mail; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject :Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KKl1XevfTynss1OqxWLqfGlXsWtAXXuvcNOtb8Xo9yE=; b=gkV4hpgr6wBqhnKMi4/GPN/vH2 qS2kU7/SjBgh0O5JZqQsuIE4e3AbtSXHA0tkXqxwmjJg5xVDzL2NwhnN9CHYTpVHfNIFnS43498Mz reBnidqA4ldGoE9nKl5xfrmkjE1r1k3YnrLYl7PyqlNdkcIp6OgNvgkzStFEA2S5Cb30350BZXr3b JlhoJbyFb5h4jPiOyiKAtYo9BHt11otLE+AVmJYU+krnKn4XlA7mkVQ+NLTXa/MOfcZkCUvwTl1XS 950+bA/lA6EYBe/bhUR0KFaG3dE9Gzrcje3hMeiJJO4exCGvadQwh8XUEfUleglA559wZhwy/kHDV 6qJnITjjqTO63O5M2XTbJpaJ3wuIq37iYuLQCCFv0RKSUsmMoPOEY8yUeXwEcD+UT5l9zW5Rgi2+5 mi56CmzUWkYxSXPYSi8nrUj2OAhXumaljPERTgPlw+Vv/alflJpwnjJQXPWHbNW/QDTFCyYQEAOqQ BHtPcqBDodAfb+/4o6lDWlP1mArIxjKIq6QhQMPRXwfspv/dfMM0lSG4hTkrDalp69lu719xqbsqE VUKMgIUVJEIZfl5UWcSXLATIRHhV2H6WnZEJOycEgwXIeibQPEx5tGMwzbIdyn9pjApGuMrJoGo+M 5/l5LxNV0K8EgAVhr+Q8/smy1WQ91ZCD81CkEhEYM=; Received: from 77-252-46-162.static.ip.netia.com.pl ([77.252.46.162] helo=localhost) by koszko.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1qeY5m-0004jB-2Z; Fri, 08 Sep 2023 11:47:58 +0200 Date: Fri, 8 Sep 2023 11:47:56 +0200 To: Josselin Poiret Cc: wolf , Simon Tournier , Nicolas =?UTF-8?B?RMOpYm9ubmFpcmU=?= , guix-devel@gnu.org Subject: Re: Building from git Message-ID: <20230908114756.61b28cf2.koszko@koszko.org> In-Reply-To: <87ledht4he.fsf@jpoiret.xyz> References: <87ledikx1u.fsf@gmail.com> <87ledht4he.fsf@jpoiret.xyz> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.37; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/4aPLKIEegeGT3IH5guaIbbE"; protocol="application/pgp-signature"; micalg=pgp-sha256 Received-SPF: pass client-ip=93.95.227.159; envelope-from=koszko@koszko.org; helo=koszko.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Wojtek Kosior From: Wojtek Kosior via "Development of GNU Guix and the GNU System distribution." Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx0.migadu.com X-Migadu-Spam-Score: -5.27 X-Spam-Score: -5.27 X-Migadu-Queue-Id: 9B9E450A55 X-TUID: H5AQZS8UD/E6 --Sig_/4aPLKIEegeGT3IH5guaIbbE Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello Josselin > wolf writes: >=20 > > Hmm, but the recipe for the authenticate rule comes from the (possibly) > > compromised source, no? So the attacker can just modify the recipe ins= tead of > > the command going the authentication. Am I missing something? =20 >=20 > You can use a previously trusted guix to do the authentication. `make > authenticate` is here for committers to check that their commits are all > properly signed before pushing (it's used as a pre-push hook). =46rom my understanding of the documentation, `make authenticate` is not just for committers but for all people who do a `git pull` in Guix tree and want to verify that the newly pulled commits do come from the committers. It it is not the case, then the documentation should probably be modified to make it clear. The recipe is not from an untrusted source mecause the Makefile is not tracked by git. Rather, it gets generated when first building Guix. And =E2=80=94 as the documentation instructs =E2=80=94 the initial checkout gets authenticated with `guix git authenticate` rather than with `make authenticate` so it can't get compromised that easily. Had someone managed to serve us a commit that adds another Makefile with a backdoor, git would report a conflict upon pulling. I believe this is what the implementors had in mind. Please clarify if this is wrong. I do see 1 loophole here, though. One could serve a compromised makefile under the name "GNUmakefile" and `make authenticate` would happily choose it over the non-compromised "Makefile". I was planning to start a new thread about it for some time... but this one seems like a just as appropriate place to mention the issue. It shouldn't be hard to fix. It boils down to having ./configure create a GNUmakefile as well. Perhaps as a symlink to the original Makefile? Best, Wojtek -- (sig_start) website: https://koszko.org/koszko.html fingerprint: E972 7060 E3C5 637C 8A4F 4B42 4BC5 221C 5A79 FD1A follow me on Fediverse: https://friendica.me/profile/koszko/profile =E2=99=A5 R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ=3D=3D | =C3=B7 c2luIHNlcGFyYXR= lZCBtZSBmcm9tIEhpbQ=3D=3D =E2=9C=9D YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ=3D=3D | ? U2hhbGwgSSBiZWNvbWUg= SGlzIGZyaWVuZD8=3D -- (sig_end) On Fri, 08 Sep 2023 11:10:37 +0200 Josselin Poiret wrote: > Hi, >=20 > wolf writes: >=20 > > Hmm, but the recipe for the authenticate rule comes from the (possibly) > > compromised source, no? So the attacker can just modify the recipe ins= tead of > > the command going the authentication. Am I missing something? =20 >=20 > You can use a previously trusted guix to do the authentication. `make > authenticate` is here for committers to check that their commits are all > properly signed before pushing (it's used as a pre-push hook). >=20 > Best, --Sig_/4aPLKIEegeGT3IH5guaIbbE Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTpcnBg48VjfIpPS0JLxSIcWnn9GgUCZPrtzAAKCRBLxSIcWnn9 Go93AP9gNpaNGWK1suSNfMB55+kodlgBFiaFDZKg4Uk4OyZ29QEAuBfqQMVriwy8 0LO/uO2Tm8ml+oxSjcUcY/E2Cf36XQY= =wMd+ -----END PGP SIGNATURE----- --Sig_/4aPLKIEegeGT3IH5guaIbbE--