* Security of packages in official repo @ 2020-11-26 12:32 Phil 2020-11-26 16:01 ` zimoun 0 siblings, 1 reply; 8+ messages in thread From: Phil @ 2020-11-26 12:32 UTC (permalink / raw) To: help-guix Hi all, I can find a few articles that give a good overview of Guix security with regard to ensuring that what is pulled onto my local server is always a true representation of the packages as intended by the package authors. There's also a good process for alerting Guix of potential security issues. However, can anyone point me to, or explain - what is done to audit packages in the official Repo in the first place - i.e. how do I know that a piece of software supplied to me by Guix is not only delivered in a safe/reliable fashion, but is also free from malware potentially introduced by the authors/maintainers themselves? How are new packages or updates audited or reviewed before being accepted into Guix's official repo? It's a paranoid question I know - but it's a regular one on security audits to sign-off software use.... I know that nobody is going to audit every single line of code of every package, but knowing that some process exist is normally enough to satisfy the audit? A similar question and fairly reassuring answer from the Ubuntu Security Team is given here - I was hoping to find something similar for Guix: https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited Thanks, Phil ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Security of packages in official repo 2020-11-26 12:32 Security of packages in official repo Phil @ 2020-11-26 16:01 ` zimoun 2020-11-26 16:51 ` Ricardo Wurmus 2020-11-26 19:07 ` Phil 0 siblings, 2 replies; 8+ messages in thread From: zimoun @ 2020-11-26 16:01 UTC (permalink / raw) To: Phil, help-guix Hi, On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote: > However, can anyone point me to, or explain - what is done to audit > packages in the official Repo in the first place - i.e. how do I know > that a piece of software supplied to me by Guix is not only > delivered in a safe/reliable fashion, but is also free from malware potentially > introduced by the authors/maintainers themselves? Nothing. It is about trust, as with any distribution. Now, you can audit by yourself the source code, compiled by yourself and check if it is the same that the substitutes serve you. # get the source guix build -S foo # build (fetch substitutes by default) guix build foo # re-build guix build foo --no-grafts --check And if the binaries are different, it means unreproducibility are around; which implies weakness (unsafe is too strong). Note “guix challenge” allows to compare what is build locally and what is served by the build farm. An experimental service is running to detect unreproducibility between the different build farms. For example scripts are floating around [1]. Moreover, if you are in paranoid mode, then you have to start to verify the bootstrap chain and the initial binary seed; ~60MB in Guix if I remember correctly and too much for Ubuntu and co. 1: <https://yhetil.org/guix-devel/86mu0rt95k.fsf@gmail.com> > How are new packages or updates audited or reviewed before being accepted > into Guix's official repo? > > It's a paranoid question I know - but it's a regular one on security > audits to sign-off software use.... I know that nobody is going to audit > every single line of code of every package, but knowing that some > process exist is normally enough to satisfy the audit? There is no formal process, AFAIK. But since no one wants craps running on their machine, we can guess it is informally done. :-) > A similar question and fairly reassuring answer from the Ubuntu Security > Team is given here - I was hoping to find something similar for Guix: > https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited I will not comment on this because it is a trap. You have no insurance (the ability to check) that the source code they audited corresponds to the binary you fetch and then run. Pedestrian video explaining that is here: <https://youtu.be/I2iShmUTEl8> (Sorry, maybe the video is on a platform more respectful but I am too lazy to search.) AFAIK, Guix is one the most advanced tool to check paranoid questions. Last, if you are talking about CVE and security updates, they are pushed to master as soon as possible, IIUC. Hope that helps, simon ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Security of packages in official repo 2020-11-26 16:01 ` zimoun @ 2020-11-26 16:51 ` Ricardo Wurmus 2020-11-26 19:30 ` zimoun 2020-11-26 19:07 ` Phil 1 sibling, 1 reply; 8+ messages in thread From: Ricardo Wurmus @ 2020-11-26 16:51 UTC (permalink / raw) To: zimoun; +Cc: help-guix zimoun <zimon.toutoune@gmail.com> writes: > Hi, > > On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote: > >> However, can anyone point me to, or explain - what is done to audit >> packages in the official Repo in the first place - i.e. how do I know >> that a piece of software supplied to me by Guix is not only >> delivered in a safe/reliable fashion, but is also free from malware potentially >> introduced by the authors/maintainers themselves? > > Nothing. It’s a little more than nothing in some cases. For example, there was extensive work to gain confidence that Ungoogled Chromium does not phone home. Generally, anti-features such as update checkers that phone home are patched out. We generally take the code as is, however, and don’t assume that every bit of free software out there is malware in disguise until it is demonstrated beyond reasonable doubt that this is not the case. That would neither be feasible nor would it guarantee satisfactory results. -- Ricardo ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Security of packages in official repo 2020-11-26 16:51 ` Ricardo Wurmus @ 2020-11-26 19:30 ` zimoun 2020-11-26 21:10 ` Ricardo Wurmus 0 siblings, 1 reply; 8+ messages in thread From: zimoun @ 2020-11-26 19:30 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: help-guix Hi Ricardo, On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rekado@elephly.net> wrote: > zimoun <zimon.toutoune@gmail.com> writes: >> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote: >> >>> However, can anyone point me to, or explain - what is done to audit >>> packages in the official Repo in the first place - i.e. how do I know >>> that a piece of software supplied to me by Guix is not only >>> delivered in a safe/reliable fashion, but is also free from malware potentially >>> introduced by the authors/maintainers themselves? >> >> Nothing. The correct quote is: «Nothing. It is about trust, as with any distribution.» > It’s a little more than nothing in some cases. For example, there was > extensive work to gain confidence that Ungoogled Chromium does not phone > home. Generally, anti-features such as update checkers that phone home > are patched out. > > We generally take the code as is, however, and don’t assume that every > bit of free software out there is malware in disguise until it is > demonstrated beyond reasonable doubt that this is not the case. That > would neither be feasible nor would it guarantee satisfactory results. Even if I agree and your complement makes totally sense, and for sure I thank a lot all the collectively tough work done, I still claim that “you do not know that a piece of software supplied to you by <name-it> is free from malware potentially introduced by <whatever>”. The only way to know is to audit yourself, compiled yourself using a toolchain that you audited yourself. Therefore, it is about trust. The question is: what does Guix do to be trust-able? I think all the code around speaks by itself. And personally I trust people doing that job and then pushing to Guix. Cheers, simon ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Security of packages in official repo 2020-11-26 19:30 ` zimoun @ 2020-11-26 21:10 ` Ricardo Wurmus 2020-11-26 21:35 ` zimoun 0 siblings, 1 reply; 8+ messages in thread From: Ricardo Wurmus @ 2020-11-26 21:10 UTC (permalink / raw) To: zimoun; +Cc: help-guix zimoun <zimon.toutoune@gmail.com> writes: > Hi Ricardo, > > On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rekado@elephly.net> wrote: >> zimoun <zimon.toutoune@gmail.com> writes: >>> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote: >>> >>>> However, can anyone point me to, or explain - what is done to audit >>>> packages in the official Repo in the first place - i.e. how do I know >>>> that a piece of software supplied to me by Guix is not only >>>> delivered in a safe/reliable fashion, but is also free from malware potentially >>>> introduced by the authors/maintainers themselves? >>> >>> Nothing. > > The correct quote is: «Nothing. It is about trust, as with any > distribution.» […] > Therefore, it is about trust. Certainly, I do not disagree. When someone does extra work to audit the code and nobody is there to witness it … “does it make a sound”? :) All dilligence here is trust with extra steps, but it still is trust-based. -- Ricardo ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Security of packages in official repo 2020-11-26 21:10 ` Ricardo Wurmus @ 2020-11-26 21:35 ` zimoun 0 siblings, 0 replies; 8+ messages in thread From: zimoun @ 2020-11-26 21:35 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: help-guix Hi Ricardo, On Thu, 26 Nov 2020 at 22:10, Ricardo Wurmus <rekado@elephly.net> wrote: > Certainly, I do not disagree. When someone does extra work to audit the > code and nobody is there to witness it … “does it make a sound”? :) Thoughtful as a Chinese koan. :-) I am so grateful for all this extra work. Cheers, simon ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Security of packages in official repo 2020-11-26 16:01 ` zimoun 2020-11-26 16:51 ` Ricardo Wurmus @ 2020-11-26 19:07 ` Phil 2020-11-26 19:50 ` zimoun 1 sibling, 1 reply; 8+ messages in thread From: Phil @ 2020-11-26 19:07 UTC (permalink / raw) To: zimoun; +Cc: help-guix Thanks for the reply Simon. zimoun writes: > Nothing. It is about trust, as with any distribution. Now, you can > audit by yourself the source code, compiled by yourself and check if it > is the same that the substitutes serve you. I understand that Guix makes the process of reproducability and auditing much more rock-solid than most other distributions - and this more than satisfies any requirements I have for proving that software package X, is a true representation of source code X, built with toolchain Y. This is great - but my question is more mundane than that. The good news is I think it's answered here: https://guix.gnu.org/manual/en/guix.html#Submitting-Patches Say I have a new piece of software I've developed and I want to make it available through Guix's offical repo. I define a new Guix package for that app - and create a patch for it. The important point is that the patch is vetted by the members of guix-patches@gnu.org mail list. And I assume packages which appear inappropriate for whatever reason are not accepted by members of this list? This is different to PyPi for example where (I believe) anyone can upload any content and have the public downloading it immediately without any approval or vetting - it's pretty Wild West. This makes some institutions unwilling to give students/employees/etc access to systems like PyPi... but on other systems where there is a degree of scrutiny required (such as patch vetting on Guix) - this can make a world of difference in terms of getting a tick in the right box. Whether there is wisdom or any real protection is a separate question of course (nobody will guarantee every line of every source repo!), but nevertheless from a practical point of view, it can prove useful in getting software like Guix adopted - which is what I'm keen to do. As a workaround it would seem perfectly possible to host a private Guix channel with a subset of packages on that have been internally vetted, but it would be more in the spirit of Guix to contribute and use the official package repo. Thanks - hopefully I haven't overly laboured my point! Phil ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Security of packages in official repo 2020-11-26 19:07 ` Phil @ 2020-11-26 19:50 ` zimoun 0 siblings, 0 replies; 8+ messages in thread From: zimoun @ 2020-11-26 19:50 UTC (permalink / raw) To: Phil; +Cc: help-guix Hi, On Thu, 26 Nov 2020 at 19:07, Phil <phil@beadling.co.uk> wrote: > The important point is that the patch is vetted by the members of > guix-patches@gnu.org mail list. And I assume packages which appear > inappropriate for whatever reason are not accepted by members of this > list? Anyone can subscribe to guix-patches and discuss the patches. Give a look at: <http://issues.guix.gnu.org/> However, a set of restricted people have commit access and so push code which is compliant with the GNU standards. > As a workaround it would seem perfectly possible to host a private Guix > channel with a subset of packages on that have been internally vetted, > but it would be more in the spirit of Guix to contribute and use the > official package repo. Yes, custom Channels [1] is the way to deliver variants. Well, it is up to the channel maintainer to set the rules of the very channel; for instance, provide or not non-free software. Therefore, the Wild West could happen to some custom Channels. 1: <https://guix.gnu.org/manual/devel/en/guix.html#Channels> All the best, simon ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-11-26 21:46 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-11-26 12:32 Security of packages in official repo Phil 2020-11-26 16:01 ` zimoun 2020-11-26 16:51 ` Ricardo Wurmus 2020-11-26 19:30 ` zimoun 2020-11-26 21:10 ` Ricardo Wurmus 2020-11-26 21:35 ` zimoun 2020-11-26 19:07 ` Phil 2020-11-26 19:50 ` zimoun
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.