From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms1.migadu.com with LMTPS
	id YK7qLmsOD2YGRAEAe85BDQ:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 04 Apr 2024 22:32:43 +0200
Received: from aspmx1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2.migadu.com with LMTPS
	id YK7qLmsOD2YGRAEAe85BDQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 04 Apr 2024 22:32:43 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=elenq.tech header.s=soverin1 header.b=RWdqmIyK;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1712262763;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	list-unsubscribe:list-subscribe:list-post:dkim-signature:autocrypt:autocrypt;
	bh=01y091Iq1k7CnQzZNk2ZU83e7T97ZzqJIwPzXquJCK4=;
	b=Mln3jggZ964Kkaw2B5lpTvC8u5U4GvSr38SObsQk4mm4hE+LcRyMMuwBgdDtuNiCwKmiyK
	4+iCd3fs5JHy3MfbUMzQTqP8KK1nNTmpHKld/oZ9D8cgego0F55haovpAfiPAealRj0XLv
	8ymoQapxGzbmlZxVLrYxLeFpGu57q1GDmCqLdaMPM+IXPGnbBHK/VEOsIv1yncut1Z4o4c
	ffJ0s/CLOmi0vUpmDiqwV8bDP+Z4N+bT1cdeh47c152TCcAXKcH39mGsJHRK+yLD0KIchF
	ntqrRtHIw53Jztt2/Lf5+bL0fs7cdfTW+2bESDkL3uORjO/69OX7BTD5l+T9RA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712262763; a=rsa-sha256; cv=none;
	b=Bfs95sG3eVE4kiEw2930RgBjPfQRzP/Cj2B71IkqS5D1zyWji4Oumn9A2h3MGskTXhBP8P
	B0hGmdIkLSmFiKeByNKxVpI/lwCE8QVRVupquz/L228uuHE9WbVsPNOc+RARDRhcn3HAFY
	pSHdQdp5oYnnmk3fmFKtb2aaDEgzdE4lfu8AVXi1JIt2oTGy71MBQMJr1F2frfa4C77qrv
	ppgoDkR5hVzOoE1N4zHGz36uVcai3FsQ6NSUVUlYaVCbQizT6gNJrjAqjka4oGHSbnUJbb
	V+liqnxsaPnc3gihUOWQOfVy+OO8L2zZHg9/78egTtlSODmk+UjQdorVZejQJQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=elenq.tech header.s=soverin1 header.b=RWdqmIyK;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 853921700E
	for <larch@yhetil.org>; Thu,  4 Apr 2024 22:32:43 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1rsTl4-0003HT-3t; Thu, 04 Apr 2024 16:32:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ekaitz@elenq.tech>) id 1rsTl2-0003HD-CH
 for guix-devel@gnu.org; Thu, 04 Apr 2024 16:32:24 -0400
Received: from dane.soverin.net ([2a10:de80:1:4092:b9e9:229d:0:1])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <ekaitz@elenq.tech>) id 1rsTky-0007Bz-PK
 for guix-devel@gnu.org; Thu, 04 Apr 2024 16:32:24 -0400
Received: from smtp.soverin.net (unknown [10.10.4.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (No client certificate requested)
 by dane.soverin.net (Postfix) with ESMTPS id 4V9YFR39ghzyQS;
 Thu,  4 Apr 2024 20:32:11 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.99]) by soverin.net
 (Postfix) with ESMTPSA id 4V9YFQ6h60z5n; 
 Thu,  4 Apr 2024 20:32:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=elenq.tech; s=soverin1;
 t=1712262731;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references:autocrypt:autocrypt;
 bh=01y091Iq1k7CnQzZNk2ZU83e7T97ZzqJIwPzXquJCK4=;
 b=RWdqmIyKWc+ApxC1S8c9giqZBt9HT9svym8uImqFxNb5qbA1wWNdyQZG978zc9oiAS39X7
 YoLJeMAHpevQRB81jBW6WNZGiwCpkw3Ii9M6ctsWObw4Mq7abB2+21hb4u9j2D2tqu6bsL
 ZzkvD1FhArMCSILsbenNm3XMKgiwqwYTRh+ChkcpsemlnoyEGwLXGlcHYVSJ7Z0nGfqLZc
 NKu39T5oJvZrogclr6Bb5zErdkGfpWsIm2qhmVY551sfRS/lBOsT3pknAOrFB+2u8tPSxJ
 T9VSnWXgMTMoFYcR/3DTCeD9F6AQiljcu6Rl1mCRmIP6snQFI1yOv/k3kWCtSA==
Message-ID: <6e743725-26f0-669c-b088-e56c850110c8@elenq.tech>
Date: Thu, 4 Apr 2024 22:32:10 +0200
MIME-Version: 1.0
Subject: Re: backdoor injection via release tarballs combined with binary
 artifacts (was Re: Backdoor in upstream xz-utils)
Content-Language: en-US, es-ES, eu
To: Attila Lendvai <attila@lendvai.name>, Giovanni Biscuolo <g@xelera.eu>
Cc: Guix Devel <guix-devel@gnu.org>
References: <87ttkon4c4.fsf@protonmail.com>
 <KRd7y7M0o1HQsUlHonV0ZJDzgHgrAh6Mn1dnSvKq9RBCgBRTcy-MlK9Ai6PJPmiwzTh59wNVrAioo3n0uSrZ4r3n-YX9JOhtX6V6E1P37PQ=@protonmail.com>
 <8734s1mn5p.fsf@xelera.eu> <87zfu9ku4l.fsf@xelera.eu>
 <nONOKK2qA2Y-irHHtLLp7qaWIL0zSvvDHIZZ1j5qTfPMLqpG4jHzZfX_naiK81C32CVpzeM_b3zPgGblw5GosJwre5wLQXJHp7k9M8DlQQc=@lendvai.name>
From: Ekaitz Zarraga <ekaitz@elenq.tech>
Autocrypt: addr=ekaitz@elenq.tech; keydata=
 xsFNBGViSyIBEADY3g71uW/0CVaVm5/ObqTicQXXJRuh1uafIFiUUZoAp1V3V89b3LZ/m0cL
 8YNHxTxsx8sKIMYTGlOvARAMiSpDvkmpf5pLn5T7+VvK90FOv/Pkp1tNNT+tvd0m/7C58+39
 s7tN+XppbjVRtFuSXY0aFe8rpivZsKxv+tPUHUnQQszXvwgx0GQl8AX99IE+j75NJmBHFVg2
 0geKa7QVymu669ix2+zU8vGoOKf5nIS0qG1m/vrtwR3ZuuyWX9/E/uP95ahX5ETWtjhTDbEm
 MEaRperwbczBewkdERJ34vRrverqKQA1xHXoPsx4NkLMocORFSSCJsveXcgWlU+pUIOYcKUA
 ARJjHhoWoUH4LZt5EOb7U17AaYMmATUXPCqq8G3jEXq6i0O1J1obCJGIRG02R9GiGp4zrVuv
 2hmyoAmed4xYZAtf9WjcbwiunDkMGIxscdSlfEH/9dt7PGdEvkZ0dNSCTbp4ctMI4jAfobAL
 LReMSGx1CgPi01J61a/n/SgR66AiRJZCyC1u2V7AK1rBOAYzOU4UoePz+yF1I7crjZWAQVo6
 DlmmXW+29l/lh2oK5jOuNEcvI6qi+tPCYxpDhUhZeYgqFU+/xgGlMj/XGvwuIFlpVg9ovFMg
 6mxskOCVP9xNEp/qHiHqByYu5NRcITo/z/3BUimdXTT4KSq2cQARAQABzSJFa2FpdHogWmFy
 cmFnYSA8ZWthaXR6QGVsZW5xLnRlY2g+wsGOBBMBCAA4FiEEg/pnRVjAUpRlfkwZt5lM+Jly
 CyYFAmViSyICGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQt5lM+JlyCybjZxAAy+YW
 3Q22xKoMWJYw03qGCy87WPK+xGWDpKD6TJ77+/IEbldObyQRrKYTTGjQSy6WgaJ0txJMIqeK
 JyuWuR3bq+Vkh86Byntl25jknOJ+jY1zwPs6HnWFr+hS48FcQh/0D26h57Cqc+6nbKhJcva8
 JsInbHTbWPz7wye+xhqY1LfdgVTbCyADESXdmBY30/vP4LzqW81atwYF6X7dN7ko/JvyPPdv
 VlcspmbP6zNihoApBHdMfJwYscyAsu6tTyL4hMG3zpraeU+S857vZN39gFagRng+uyZG7rfB
 dHHAFzT1LKOZ4dahavOfA0gS1RZTgtAGsvhUEBn9vKxlB4efZuKhwMtgQEskRFD6JIF1DYCj
 pLgn5x/y3oI6rn35R46VDhLfohcUWpvzplu6LBft8ZNr+UgoVYc6qBezyDlxk0FmhGI7DEoh
 gfUxljTALXjSdUGEw2mvp/Mcrz+ffemWpG4+Zq0UXR8sZaHpv+PqmFLFFSQCOCRTYbMKzZBn
 y03wym3y0tGtunDGm5pR7NEPqUO9QbZdKyTy4ftRkSfTpiPCF8+KKYDT8HimSrusmtTfR4R1
 nBJ4lNBYgTdOyJYFbHdF0Jxo9r0t+K2e+6hX6bK79o6aC+/LtzkoYgjCWvAEopO0ras/XQYM
 S7/bCzeDIhXX5RqmMIp5XN+oBP2roZDOwU0EZWJLIgEQAMIgPDpJY9aOhFiFICx58XMM28An
 yUPdN39t0A8VkUbsvKXH6eNqUZj/Q3yNcZrknAT1vinv9FN/4uCUnsaqEKp+mRAYgzmNfeJk
 SWuMzmA04fcISIBz3sJUR0w/59tWi8QxlNn7IR6McAA3lHDXC+KYh9ZfhaOARfan1M6Ppy6g
 YltUQGSSPXU807inmQZh8GFTi8iUza7vGuBEnaNRGhmhR+blMwHSqVWN4gD81e8dSAEi3zNR
 sLoBXneHUqTcJMHvsT5cOk7cGMoVAWIffA2EKWfrgda57Qw+w+0OPqWEfKoXwnyt35Tl+Lxl
 7MAaAG9R5760yhgkf3LmnBNP3m6StZ8Fv09Gdn5cGSbVnoofHDkg4PQDTD6aGz9af3SnGVg9
 nb1Zm1XbqtnYwG9JvQhcjgWAHwrPLkHAcvKtfYWNe4wiirMjXMXxADY08g33SEchPJR2r4pg
 wttJS4kHUJ2IQUmSH/43RO5PkftWsCucYGeaG1aPr+GAkeKIS1M3OZGuqhd800mltpiH73eL
 XrUPF8fgngC+SGMrHXLfzuhaRxPNYUbsdF+wRkvjRSO4tCmSVpgfPsHu5emoZgix1iiTO7GF
 do7L6n1Ay3oF4Witoxc0Gcbu7ltYlZHGmDnsVTVALartsJV2muSXpWcjQiXyC0gUkIkUD/3P
 jtgVxK8xABEBAAHCwXYEGAEIACAWIQSD+mdFWMBSlGV+TBm3mUz4mXILJgUCZWJLIgIbDAAK
 CRC3mUz4mXILJrIaD/9CXGckwRCojuRzP0r6+8/RvNDc03CSe2W17WrSaoYgiRb+h5asI/AL
 yqw+QRgwXZpt0i9hNiDCe/baD62mufIyjKFjHoAWSYJuZ5VK3vWnro6GaxWULYt1+c4c4Lz2
 d1nSK6j8F3CxYo7BFk6afOusjYfh+0HywThcYY+x+K5Z+4SdJejDLiL5AzJn2W5Gt/ViK5nI
 wl7uRQpayMc9zmI8ytUT2NJxovq1/fT9nB8VPwlbJTE9zvIqfqHh9o9Apx5o8yTaSCyGUyu9
 8h/klqxFy4HAPJJu/3JkiMaCI45ZdCqRR1LIwhtmW2lb73r0rP/0S1cKi+ehA4oQvwiUw7zh
 XXw7mqzSAJ0SWT92Vy2G8Z8qqgwxwfQcdFZAyJAL1rgEPQljNT91Vgbc6DCUka2XW5BqyhEB
 eS0n1gK0hYXbM9FKegRsZxlmRAXa4KGXCwr4BNK6k+zkKPitezjbtcLgcKSHa8/HyHNkW7xH
 R+MN16x2elQPmQ2d0Ien1HgsK98+3prlUGwZIVCqa1ddSoW0llU3JzGsKrMAiYbWg/rOXFil
 RJbuhjflaLBVmfI8VlRQRocP+WEH0lsUWrtjVaGcBj1/YnIoT+zT6fPSXwPsrBvAWEjfl8HH
 e1F4cYb+ugPDwUTd1s2Uj2tF0/fhCHPy9sXyx/EIL3gqyBw9M2Rz9A==
In-Reply-To: <nONOKK2qA2Y-irHHtLLp7qaWIL0zSvvDHIZZ1j5qTfPMLqpG4jHzZfX_naiK81C32CVpzeM_b3zPgGblw5GosJwre5wLQXJHp7k9M8DlQQc=@lendvai.name>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=2a10:de80:1:4092:b9e9:229d:0:1;
 envelope-from=ekaitz@elenq.tech; helo=dane.soverin.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -7.89
X-Spam-Score: -7.89
X-Migadu-Queue-Id: 853921700E
X-Migadu-Scanner: mx12.migadu.com
X-TUID: PnXTnlMe+nhp

Hi,

I just want to add some perspective from the bootstrapping.

On 2024-04-04 21:48, Attila Lendvai wrote:
> 
> all in all, just by following my gut insctincts, i was advodating for building everything from git even before the exposure of this backdoor. in fact, i found it surprising as a guix newbie that not everything is built from git (or their VCS of choice).

That has happened to me too.
Why not use Git directly always?

In the bootstrapping it's also a problem, as all those tools (autotools) 
must be bootstrapped, and they require other programs (compilers) that 
actually use them. And we'll be forced to use git, too, or at least 
clone the bootstrapping repos, git-archive them ourselves and host them 
properly signed. At least, we could challenge them using git (similar to 
what we do with the substitutes), which we cannot do right now with the 
release tarballs against the actual code of the repository.

In live-bootstrap they just write the build scripts by hand, and ignore 
whatever the ./configure script says. That's also a reasonable way to 
tackle the bootstrapping, but it's a hard one. Thankfully, we are 
working together in this Bootstrapping effort so we can learn from them 
and adapt their recipes to our Guix commencement.scm module. This would 
be some effort, but it's actually doable.

Hope this adds something useful to the discussion,

Ekaitz