From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id KMCNNLpjKmbeuAAAe85BDQ:P1 (envelope-from ) for ; Thu, 25 Apr 2024 16:07:55 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id KMCNNLpjKmbeuAAAe85BDQ (envelope-from ) for ; Thu, 25 Apr 2024 16:07:54 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1714054074; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=/yKArNOSv/yb1muONoMnAZRG1nnBJIBVKFK+9Ts5W/E=; b=obsGGxFPmPlFtj4oNcbI/2/Cirm5VWPJcr/gAAB0XGjREEd25614IE9Kw7gMdSo/PVzBS9 yw55pzf85vl1nQt+9gB26uX+wt3Fx2NBvEkoZMWt5XrpS6/Gap41TPOGX/o713ACc7u/Nf sbFqv83gkaTP9bzINh8KgZwz6S+dYgkbBhZBAvIvXdMs1mrY3/1xFF8PkdA0fRJNaAanDF Aaqeb88L1LUA4yXkl+ipmnU+0DisgHkUbtKpuFN5Ij/vtibG+aToDDODSYioCiH3q6EhSC B0MdHw7UzYQy7gQD5mRgVQ2gNVKNHM52NbKHSzAatePg9GkUj8s8aMHpTRgZ1w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1714054074; a=rsa-sha256; cv=none; b=dxX5mmgY9u8ZhL95YcKzgiRuHKIisMH5aHYEENRatBekJS6bCjgqSlf2mwbllzjCwtr03O WgSf8LlVXVHAUT1c1aNfhcBFWitiVJRIv0ZFQ/kfkop/ZXkBGR7XHQVuos/QjkCAI5TC5S kesIxRrxcvVZufJBmwj2k/gdX1oxuzf69Vual64QU5O+RGUKOuMliMHX7noAvGNhtGFB8k vxFtfGD9qeWXxNNLuAdAGf5Xx6WVeosZwG6hGNyvs8WUcbTztSVC/mtBN+wBwbOVjCruES yAM2njuI9RbtCPNP/QAF5tMpPyf5YE4gDfIvv2L9wT/gxi6AGHAKFakqbH22nQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 95BBD56E00 for ; Thu, 25 Apr 2024 16:07:54 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rzzkg-0004rb-MM; Thu, 25 Apr 2024 10:07:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rzzke-0004qv-5L for guix-devel@gnu.org; Thu, 25 Apr 2024 10:07:04 -0400 Received: from vmi993448.contaboserver.net ([194.163.141.236] helo=mutix.org) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rzzkc-0004Rd-1K for guix-devel@gnu.org; Thu, 25 Apr 2024 10:07:03 -0400 Received: from [192.168.1.172] (host81-152-149-149.range81-152.btcentralplus.com [81.152.149.149]) (Authenticated sender: cdo) by mutix.org (Postfix) with ESMTPSA id 88333A63ACC; Thu, 25 Apr 2024 16:06:58 +0200 (CEST) Message-ID: <2dc99b59-cb76-f822-f2ce-027f523bb682@mutix.org> Date: Thu, 25 Apr 2024 15:06:58 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Subject: Re: Core updates status Content-Language: en-US To: 40316@debbugs.gnu.org Cc: guix-devel@gnu.org, Steve George References: <451a97f9-0e16-c1b3-8884-52420e265db3@mutix.org> From: Christina O'Donnell In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=194.163.141.236; envelope-from=cdo@mutix.org; helo=mutix.org X-Spam_score_int: -45 X-Spam_score: -4.6 X-Spam_bar: ---- X-Spam_report: (-4.6 / 5.0 requ) BAYES_00=-1.9, NICE_REPLY_A=-2.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.90 X-Spam-Score: -4.90 X-Migadu-Queue-Id: 95BBD56E00 X-Migadu-Scanner: mx13.migadu.com X-TUID: tpjwd7RhpJQJ Hi Steve, > It would be good to confirm this one: > > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316 Still fails to reproduce with those changes applied. The culprit is in nss/cmd/shlibsign/shlibsign.c: shlibSignHMAC generates a new key-pair each time it's run:     /* Generate a DSA key pair */     logIt("Generate an HMAC key ... \n");     crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,                                        hmacKeyTemplate, PR_ARRAY_SIZE(hmacKeyTemplate),                                        &hHMACKey); Three options:  1. Disable library signing entirely.  2. Seed the generation to be deterministic.  3. Drop in a HMAC key-pair and patch the code to use that instead of generating. 2 and 3 defeat the point of the cryptographically secure supply chain as the private key can be obtained deterministically, so my vote would be simply  to not sign the libraries (1), which would be easier to maintain. We're not the primary distributor and users can verify our distribution of nss by running `guix challenge` anyway. > It looks like Zhen Junjie applied two patches to fix NSS cross-compilation on Master [0] Building everything cross-compiled to ARM now. Kind regards, Christina From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id aGBmA8x9KmYbuQAA62LTzQ:P1 (envelope-from ) for ; Thu, 25 Apr 2024 17:59:08 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id aGBmA8x9KmYbuQAA62LTzQ (envelope-from ) for ; Thu, 25 Apr 2024 17:59:08 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1714060747; a=rsa-sha256; cv=none; b=f8dn2qk1kdtUkF8EnL/07lRbCGcI8hU501cOm1mWJbY81n76D6HNz3YAvKZ4RxmzkbeYAk jgCJKQby/TBTIpqbEou4Da3lh7mk1EwJLxVNh6x93Zp+nXgKWrItATYeFLFCNCdV+bdhsI Tgx3ZAunZLtXT7Cw2W40Dq1LX00vbE3K2i2DgJlBcLWJpSjhTaKpXgyNNpxg0wRLXljt7k +8Qnky6C+vX8cGjmw1vQW7Mrw9okB7GpUZ3NQxcoWjBmXikJYmDaCl3SS/hOdWsDd3Fx2R fYxi2yf8GVrhiqL/E8PA1lkrJfhoQFqixfgReg1gYMHqPJC/weAi+ZLWU8vN8w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1714060747; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=/yKArNOSv/yb1muONoMnAZRG1nnBJIBVKFK+9Ts5W/E=; b=QlGsMzsGULooYXPKzdoomvl6IOUMopM9mfRvoSZj+DOTdadllM9Mgo8fPBxjEavd/sCWew hUYYU968uYUqKpJzHJIV856sgFVkTmqY3gRJ9GgEAaPv4qs6WPc9AYcytJgSt4Ol1+ue6Y OJCIllrh5bEuo//kneD+g/Ns6hEyjBUxrkLqFcmyM0Ca+FdDhNZaCL0ekLIw09MU3Gx87g NUDRAZ0XbjXTcttC2McqrdmA0tGMDpyGrnokFm74QE3wxlz2WE4fB4WaXH55Ed+xNJq/yo FqqelogyonOqtS/afgPoaSak7yRkVV4XIFT/70GTGBrIkZGztYvYk6Qe2GIvSA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E3FCE8C76 for ; Thu, 25 Apr 2024 17:59:07 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1s01Uf-00012r-Hj; Thu, 25 Apr 2024 11:58:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rzzlN-00055f-0F for bug-guix@gnu.org; Thu, 25 Apr 2024 10:07:49 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rzzlM-0004eV-NC for bug-guix@gnu.org; Thu, 25 Apr 2024 10:07:48 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rzzld-0004eb-Tj for bug-guix@gnu.org; Thu, 25 Apr 2024 10:08:05 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#40316: Core updates status Resent-From: Christina O'Donnell Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 25 Apr 2024 14:08:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40316 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 40316@debbugs.gnu.org Cc: guix-devel@gnu.org, Steve George Received: via spool by 40316-submit@debbugs.gnu.org id=B40316.171405404617446 (code B ref 40316); Thu, 25 Apr 2024 14:08:05 +0000 Received: (at 40316) by debbugs.gnu.org; 25 Apr 2024 14:07:26 +0000 Received: from localhost ([127.0.0.1]:60807 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rzzkx-0004Wj-83 for submit@debbugs.gnu.org; Thu, 25 Apr 2024 10:07:25 -0400 Received: from vmi993448.contaboserver.net ([194.163.141.236]:50010 helo=mutix.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rzzkr-0004VQ-Pf for 40316@debbugs.gnu.org; Thu, 25 Apr 2024 10:07:20 -0400 Received: from [192.168.1.172] (host81-152-149-149.range81-152.btcentralplus.com [81.152.149.149]) (Authenticated sender: cdo) by mutix.org (Postfix) with ESMTPSA id 88333A63ACC; Thu, 25 Apr 2024 16:06:58 +0200 (CEST) Message-ID: <2dc99b59-cb76-f822-f2ce-027f523bb682@mutix.org> Date: Thu, 25 Apr 2024 15:06:58 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Content-Language: en-US References: <451a97f9-0e16-c1b3-8884-52420e265db3@mutix.org> From: Christina O'Donnell In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Thu, 25 Apr 2024 11:58:38 -0400 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -3.88 X-Migadu-Queue-Id: E3FCE8C76 X-Migadu-Spam-Score: -3.88 X-Migadu-Scanner: mx10.migadu.com X-TUID: 5Tu7m4FxZ5G8 Hi Steve, > It would be good to confirm this one: > > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=40316 Still fails to reproduce with those changes applied. The culprit is in nss/cmd/shlibsign/shlibsign.c: shlibSignHMAC generates a new key-pair each time it's run:     /* Generate a DSA key pair */     logIt("Generate an HMAC key ... \n");     crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,                                        hmacKeyTemplate, PR_ARRAY_SIZE(hmacKeyTemplate),                                        &hHMACKey); Three options:  1. Disable library signing entirely.  2. Seed the generation to be deterministic.  3. Drop in a HMAC key-pair and patch the code to use that instead of generating. 2 and 3 defeat the point of the cryptographically secure supply chain as the private key can be obtained deterministically, so my vote would be simply  to not sign the libraries (1), which would be easier to maintain. We're not the primary distributor and users can verify our distribution of nss by running `guix challenge` anyway. > It looks like Zhen Junjie applied two patches to fix NSS cross-compilation on Master [0] Building everything cross-compiled to ARM now. Kind regards, Christina