From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms1.migadu.com with LMTPS
	id uFvIFGksEGZ+SgEA62LTzQ:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 05 Apr 2024 18:52:57 +0200
Received: from aspmx1.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id uFvIFGksEGZ+SgEA62LTzQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 05 Apr 2024 18:52:57 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=interia.pl header.s=dk header.b=ABZe+9fg;
	dmarc=pass (policy=none) header.from=interia.pl;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712335977; a=rsa-sha256; cv=none;
	b=N8bKVavKCR8WCV3iHYVZy3ULPkJ2jRAxE4qFgmC0B4+EglRVMCYYK5SaO0QCRwW2XW83Zv
	mnxYc9uGgn6gX2TkKPerejLRZtl9Ra2yvQlo60EUrkuNFV1vceUKUDkzlNfDnNTFNH6xPm
	tcFgIHQShhi/epBdnfZGGq38dDquSF4639D0Gr3Hzn0fgMTJRkIdrMHrzZdUh92DhEH1DP
	4PWgSA7kONRu61RCmGYZBWpkyUfMjQvhiPW2yjh2CWwV5VAgAsQkRvVtvs5Xr/cnaQEIsq
	t0aZES3RCAZqerFSp5UYH03PxHxBwqh7xW8m2c0Fu07Sl/bk6xT1DTIz6n/G1A==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=interia.pl header.s=dk header.b=ABZe+9fg;
	dmarc=pass (policy=none) header.from=interia.pl;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1712335977;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=9ED565wGD/eATBgeiNQQkjez+t2XfbtGrX/tQyPbPRY=;
	b=j5rjF1CdvscxsCO4nFV5fhFiLZQGMVdrvJcBGObqZ6Te8vImbHgEkPs1dwf5OffUe5Xp2U
	XJ/RNHjyQRDEZEK85N4AZpNqhfAVFfgBmC6JcPPf/ky0yI33sr//apWRWmU8U+H90P0yUv
	xGi8QC2k/qvLlgOPl/9wJqnaSZY3noXnL7PolrIvwU4ENC+qhsP/EXbjRlzGzipszroyws
	oc+0gsTpck3S/iH/6e0YENT9JPYl26YpBrv1ZcJcAtyHIVIe1DzBCOqP6NGaE/llJ3Y0WV
	FxuUNJVaCATm73biLvoen/071Rm5NNCK1OtFB0fQI0yQS7drH8pehgM27GBh6Q==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 2DD5E7B538
	for <larch@yhetil.org>; Fri,  5 Apr 2024 18:52:57 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1rsmna-0003bP-Di; Fri, 05 Apr 2024 12:52:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <tona_kosmicznego_smiecia@interia.pl>)
 id 1rsmnY-0003Zp-P6
 for guix-devel@gnu.org; Fri, 05 Apr 2024 12:52:17 -0400
Received: from smtpo69.interia.pl ([217.74.67.69])
 by eggs.gnu.org with esmtps (TLS1.2:RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <tona_kosmicznego_smiecia@interia.pl>)
 id 1rsmnV-00008j-HZ
 for guix-devel@gnu.org; Fri, 05 Apr 2024 12:52:16 -0400
Received: from localhost (89-64-56-150.dynamic.chello.pl [89.64.56.150])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest
 SHA256) (No client certificate requested)
 by poczta.interia.pl (INTERIA.PL) with ESMTPSA;
 Fri,  5 Apr 2024 18:52:06 +0200 (CEST)
Date: Fri, 5 Apr 2024 18:52:06 +0200
From: Jan Wielkiewicz <tona_kosmicznego_smiecia@interia.pl>
To: Giovanni Biscuolo <g@xelera.eu>
Cc: Guix Devel <guix-devel@gnu.org>, guix-security@gnu.org, Felix Lechner
 <felix.lechner@lease-up.com>, Ryan Prior <rprior@protonmail.com>
Subject: Re: backdoor injection via release tarballs combined with binary
 artifacts (was Re: Backdoor in upstream xz-utils)
Message-ID: <20240405185206.7618b456@interia.pl>
In-Reply-To: <8734s1mn5p.fsf@xelera.eu>
References: <87ttkon4c4.fsf@protonmail.com>
 <KRd7y7M0o1HQsUlHonV0ZJDzgHgrAh6Mn1dnSvKq9RBCgBRTcy-MlK9Ai6PJPmiwzTh59wNVrAioo3n0uSrZ4r3n-YX9JOhtX6V6E1P37PQ=@protonmail.com>
 <8734s1mn5p.fsf@xelera.eu>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-IPL-Priority-Group: 0-0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=interia.pl; s=dk;
 t=1712335927; bh=9ED565wGD/eATBgeiNQQkjez+t2XfbtGrX/tQyPbPRY=;
 h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type;
 b=ABZe+9fgEuPptDhhk847oYdiya9s7KP7hHXF/wagkGG6BzMx0ZQvbVbxbqYxJ1ALK
 oC0s+zI8mUM7jzej5MobZELfq0lKlnaeHx3CgD5L00U0QsnoInGbiG5TNT2uVnnTsq
 OBdFqzhi9TisoAQ6VBjFh0nQROPn0h48G4rZsT+8=
Received-SPF: pass client-ip=217.74.67.69;
 envelope-from=tona_kosmicznego_smiecia@interia.pl; helo=smtpo69.interia.pl
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Spam-Score: -8.79
X-Migadu-Queue-Id: 2DD5E7B538
X-Migadu-Spam-Score: -8.79
X-Migadu-Scanner: mx10.migadu.com
X-TUID: D/+iV5+SGGPC

On Thu, 04 Apr 2024 12:34:42 +0200
Giovanni Biscuolo <g@xelera.eu> wrote:

> Hello everybody,
> 
> I know for sure that Guix maintainers and developers are working on
> this, I'm just asking to find some time to inform and possibly discuss
> with users (also in guix-devel) on what measures GNU Guix - the
> software distribution - can/should deploy to try to avoid this kind
> of attacks.

What about integrating ClamAV into the build farms (if this isn't a
thing already)? ClamAV could scan source files and freshly-built
packages and perhaps detect obvious malware. AFAIK it can also detect
CVEs. Guix already has ClamAV packaged so this shouldn't be that hard.

--

Jan Wielkiewicz