From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id 6NS8CAyk1WbBLAAA62LTzQ:P1 (envelope-from ) for ; Mon, 02 Sep 2024 11:39:56 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id 6NS8CAyk1WbBLAAA62LTzQ (envelope-from ) for ; Mon, 02 Sep 2024 13:39:56 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=CZX0qMLn; dkim=fail ("headers rsa verify failed") header.d=ideasonboard.com header.s=mail header.b=uvTLn+5D; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1725277196; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=fw8adyeLOA9EIxeCxnUc0bR13Sri1gLbeAIRZ/iTFlk=; b=do6WE3vQ2Lc6Cm4q0A/LtyDimNEExLQAbQL+KkWGX5XOXHI3eiOxPKdaHKI8r8kDmAVA9C bMKhWVP32EUFrbEzqv5+27qTLlabH7xDT3UQygH35aaTAVzJZ3ZeS6uPh+myNomDjTBnLX SGWbK5OPIK7JhvNFtOc4XPD+ZJ40teeF/xUqpStPP1K7GmBtFZdhiYf/SNp+exnhxJJkz7 1S5G+s36iVPN+P8ajRfMKb/o8lvf2F0QWug8XS+fZvPrvIrYMW88NC5qfnHB3s1vCoOEBR 4r4poDPVl6aoNaNYzPMtxGN79ULTPkzWwYIgR4YJbqtJudmDEPoa8+rNI2Tx9A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1725277196; a=rsa-sha256; cv=none; b=NExxdbf5YlSGZus/H1ES+qdQzWmMWiSePXOXvPruMQgrb7ltZyAqmPCacUXUbgplKAdAVQ PIf+SDIGLUuedSEfNaIzWKjlSRyBcq36o+FgTuMRj96Fm1NqnPMvwEHQXlcgyP+fgOpD8V 30mCeMOkccGFRIz2VD863wD1NukRM6slSemPsUoVg4sgEpWugyPb69cGlCsfdDFHKHIxBH 3ZC1/lqg3vHtncWKnx3FbdF7LXEBXQbQxdGUrkNaoIcKGmA1QpilYrwKkrlZ3RIYavjj49 5AR+9404W5Y3iBlJsmAh4aE9TDkKM7vjq1dfHWUE97X+WnatBrMrfx85WXU/XQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=CZX0qMLn; dkim=fail ("headers rsa verify failed") header.d=ideasonboard.com header.s=mail header.b=uvTLn+5D; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E6C6D3A583 for ; Mon, 02 Sep 2024 13:39:55 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sl5PR-00011T-Vi; Mon, 02 Sep 2024 07:39:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sl5Og-0000gV-3W for bug-guix@gnu.org; Mon, 02 Sep 2024 07:39:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sl5Of-0000co-Qn for bug-guix@gnu.org; Mon, 02 Sep 2024 07:39:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:From:Date:To:In-Reply-To:References:Subject; bh=fw8adyeLOA9EIxeCxnUc0bR13Sri1gLbeAIRZ/iTFlk=; b=CZX0qMLnQQmTSLAaUF1jJHXzIMO9AHLxRLXXpWXGoQH2c526CugGBxkmN1vTNyWBA05WFBIuh2ePc1t0U8oRNnrNCl2KZIKAGfozDCldcQ7rxdK7oB96pIomnMC9parAVJkpiWeuEa+ZYCZNJXHHdVVl8Ke4YEhXC+FBxTl+opAxLI7Ht3bO4g7H4f78KZcVi/jF4D2EvqgGFFlTFNysoTr8pKpUP/k1R6TKs4yEH3Mq/HCWYeh86wB2fEVJkGEWPf0vBhOoeYgoX2jOsG0gJrPFhOmu2RfTUDZ+aIymtm3ZUJtg45sj2Jnaqwhcky7hUSPDLHZJN4xgpiLSDmo4Nw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sl5Pe-0007Tz-I3 for bug-guix@gnu.org; Mon, 02 Sep 2024 07:40:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#72828: Grafting breaks libcamera signatures References: <87h6b6b5v3.fsf@trop.in> In-Reply-To: <87h6b6b5v3.fsf@trop.in> Resent-From: Jacopo Mondi Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 02 Sep 2024 11:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72828 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 72828@debbugs.gnu.org Received: via spool by 72828-submit@debbugs.gnu.org id=B72828.172527715328613 (code B ref 72828); Mon, 02 Sep 2024 11:40:02 +0000 Received: (at 72828) by debbugs.gnu.org; 2 Sep 2024 11:39:13 +0000 Received: from localhost ([127.0.0.1]:46320 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sl5Oq-0007RQ-GI for submit@debbugs.gnu.org; Mon, 02 Sep 2024 07:39:13 -0400 Received: from perceval.ideasonboard.com ([213.167.242.64]:60622) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sl2ab-00073R-JZ for 72828@debbugs.gnu.org; Mon, 02 Sep 2024 04:39:10 -0400 Received: from ideasonboard.com (mob-5-90-54-22.net.vodafone.it [5.90.54.22]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 80F0D4CE for <72828@debbugs.gnu.org>; Mon, 2 Sep 2024 10:36:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1725266211; bh=Q7wg/LEg9Zfo+tgQfaDaiQP4jnibLLCerCu/cavFl2c=; h=Date:From:To:Subject:From; b=uvTLn+5DX5MboEK+x6w8boGSfnXSUyY0OM0cU4i6CmnXM3+W/C2tm0+E0IC8yv81M aVrEXCLjCYf+EhknLyYWPyU4n/e348H9GbtRdxzKuPDw7nwRO2MF0tcsN4Vn6fICuj znN8atxh+WfBWCq2D4sXjgga7STldrEMTq8FIhTA= Date: Mon, 2 Sep 2024 10:37:58 +0200 From: Jacopo Mondi Message-ID: <2zsqyfesu5qldhngmls7owv4aweuc5gjr5ugyurxco5bmtw3nc@vli7jiwfqf5g> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Mailman-Approved-At: Mon, 02 Sep 2024 07:39:10 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Mon, 02 Sep 2024 07:39:44 -0400 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -7.02 X-Spam-Score: -7.02 X-Migadu-Queue-Id: E6C6D3A583 X-Migadu-Scanner: mx11.migadu.com X-TUID: S+fFvWHKgXnr Hi, I hope this mail reaches the issue tracker. I'm one of the libcamera developer, and while I cant share any useful opinions on the guix build issue, I would like to clarify some points from the discussion above in order to help better understand the context on why we sign libraries and load unsigned modules in a separate context (as Ludo put it: why all this sophistication) Quiting again Ludo > This probably makes sense in the context that the copyright owner, > Google, envisioned: presumably Android programs loading random > proprietary modules coming from the app store. But I wonder what the > point is in the context of a free GNU/Linux distro. Not exactly. In libcamera, apart from creating a library to ease all the camera stack plumbing, we're creating an ecosystem of open-source 3A algorithms (what we call the IPA modules). Camera vendors and ODMs which invested in products with specific camera features, consider 3A algorithms and their tuning their secret sauce and are usually not willing to consider releasing them as open source with, fortunately, notable exceptions such as RaspberryPi Please note that all the platforms libcamera supports have an open-source 3A algorithm module available part of the main code base, and we consider open source 3A modules our 'first class citizens' and we're willing to develop and maintain them in libcamera mainline branch as free software, but at this point we have to provide a way for third-parties to load binary modules if they want to. The alternative is to have them continue developing camera stacks fully behind closed doors as it has been done so far. As said, modules not built against the libcamera sources will not be signed, as they are distributed by other means by a vendor in binary form. To establish if a module has been built with the libcamera sources or not, we sign it during the build with a volatile key and validate the signature at run-time, when the IPA module is loaded. IPA modules for which the signature is not valid (either because they are distributed as binaries or, as in this case, because the build system strips symbols before installing the objects) are loaded in an isolated process and instead of being operated with direct function calls, we have implemented an IPC mechanism to communicate with them. This path is way less tested by our regular users and in our daily work on libcamera. Vendors that are running their binaries as isolated might have fixed issues here and there but maybe they have not reported the issue and the associated fix upstream (we have no control over this). For this reason I don't suggest running modules as isolated, even more if you have no reasons to do so. If all it takes is re-signing IPA modules after stripping them as Andrew did I would really consider doing that.