all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Suggest another way of importing GNU Guix GPG key
@ 2019-06-29 21:11 dftxbs3e
  2019-06-29 21:40 ` Alex Vong
  0 siblings, 1 reply; 10+ messages in thread
From: dftxbs3e @ 2019-06-29 21:11 UTC (permalink / raw)
  To: guix-devel

Hello,

SKS keyservers are currently under attack 
(https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - 
the attack can cause a GPG client to freeze completely and mess the GPG 
installation completely.

I suggest GNU Guix proposes another way of importing the GPG keys so 
that users will not suffer from this problem.

There's another, newer, keyserver, proposed in this gist, that is run by 
new software that doesnt suffer from this attack. See: 
https://keys.openpgp.org/about/news#2019-06-12-launch

However, that keyserver is not replicated. You could either use that one 
or simply offer a download of the key over TLS with verification against 
installed CAs, as secure as this can get.

Regards

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-06-29 21:11 Suggest another way of importing GNU Guix GPG key dftxbs3e
@ 2019-06-29 21:40 ` Alex Vong
  2019-06-29 21:57   ` Christopher Lemmer Webber
  2019-06-30  9:44   ` Giovanni Biscuolo
  0 siblings, 2 replies; 10+ messages in thread
From: Alex Vong @ 2019-06-29 21:40 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]

Hello,

One solution would be to download the keyring from
<https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
the following way:

  $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig guix-1.0.1.tar.gz

Cheers,
Alex

dftxbs3e@free.fr writes:

> Hello,
>
> SKS keyservers are currently under attack
> (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - 
> the attack can cause a GPG client to freeze completely and mess the
> GPG installation completely.
>
> I suggest GNU Guix proposes another way of importing the GPG keys so
> that users will not suffer from this problem.
>
> There's another, newer, keyserver, proposed in this gist, that is run
> by new software that doesnt suffer from this attack. See:
> https://keys.openpgp.org/about/news#2019-06-12-launch
>
> However, that keyserver is not replicated. You could either use that
> one or simply offer a download of the key over TLS with verification
> against installed CAs, as secure as this can get.
>
> Regards


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-06-29 21:40 ` Alex Vong
@ 2019-06-29 21:57   ` Christopher Lemmer Webber
  2019-06-30  9:44   ` Giovanni Biscuolo
  1 sibling, 0 replies; 10+ messages in thread
From: Christopher Lemmer Webber @ 2019-06-29 21:57 UTC (permalink / raw)
  To: guix-devel

That's probably the right way to do it for now.

Alex Vong writes:

> Hello,
>
> One solution would be to download the keyring from
> <https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
> the following way:
>
>   $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig guix-1.0.1.tar.gz
>
> Cheers,
> Alex
>
> dftxbs3e@free.fr writes:
>
>> Hello,
>>
>> SKS keyservers are currently under attack
>> (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - 
>> the attack can cause a GPG client to freeze completely and mess the
>> GPG installation completely.
>>
>> I suggest GNU Guix proposes another way of importing the GPG keys so
>> that users will not suffer from this problem.
>>
>> There's another, newer, keyserver, proposed in this gist, that is run
>> by new software that doesnt suffer from this attack. See:
>> https://keys.openpgp.org/about/news#2019-06-12-launch
>>
>> However, that keyserver is not replicated. You could either use that
>> one or simply offer a download of the key over TLS with verification
>> against installed CAs, as secure as this can get.
>>
>> Regards

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-06-29 21:40 ` Alex Vong
  2019-06-29 21:57   ` Christopher Lemmer Webber
@ 2019-06-30  9:44   ` Giovanni Biscuolo
  2019-07-02 15:54     ` Leo Famulari
  1 sibling, 1 reply; 10+ messages in thread
From: Giovanni Biscuolo @ 2019-06-30  9:44 UTC (permalink / raw)
  To: Alex Vong, guix-devel

[-- Attachment #1: Type: text/plain, Size: 945 bytes --]

Hello Guix!

Alex Vong <alexvong1995@gmail.com> writes:

> One solution would be to download the keyring from
> <https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
> the following way:
>
>   $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig guix-1.0.1.tar.gz
>

Correct, the quick and "dirty" workaround is **to stop using the SKS
network** and warn Guix users to **manually download** certificates

This means we should quckly patch Guix manual: I've no time to propose a
patch today, I'll work on this tomorrow

We also nees to address this for **all** guix contributors: we require a
GPG signed commit, so each and every contributor/developer should
understand the risks of using SKS network and apply current proposed
workarounds: can we state this in maintenance.git/HACKING?

We sould act qulckly, IMHO

Thanks! Gio'

[...]

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-06-30  9:44   ` Giovanni Biscuolo
@ 2019-07-02 15:54     ` Leo Famulari
  2019-07-03 18:13       ` Leo Famulari
  0 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2019-07-02 15:54 UTC (permalink / raw)
  To: Giovanni Biscuolo; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 910 bytes --]

On Sun, Jun 30, 2019 at 11:44:04AM +0200, Giovanni Biscuolo wrote:
> This means we should quckly patch Guix manual: I've no time to propose a
> patch today, I'll work on this tomorrow
> 
> We also nees to address this for **all** guix contributors: we require a
> GPG signed commit, so each and every contributor/developer should
> understand the risks of using SKS network and apply current proposed
> workarounds: can we state this in maintenance.git/HACKING?
> 
> We sould act qulckly, IMHO

This is also being discussed privately with the Guix maintainers. I
expect to push an update for the manual and HACKING today.

PGP signatures in the context of `guix refresh` will become worse than
useless without either 1) changes in upstream GnuPG or 2) if the key
holders personally upload their keys to <keys.openpgp.org>. We might
need to remove the signature verification feature entirely.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-07-02 15:54     ` Leo Famulari
@ 2019-07-03 18:13       ` Leo Famulari
  2019-07-13 18:29         ` Leo Famulari
  0 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2019-07-03 18:13 UTC (permalink / raw)
  To: Giovanni Biscuolo; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 401 bytes --]

On Tue, Jul 02, 2019 at 11:54:17AM -0400, Leo Famulari wrote:
> This is also being discussed privately with the Guix maintainers. I
> expect to push an update for the manual and HACKING today.

An update on this:

The initial plan is to add the Guix signing key to the new
abuse-resistant keyserver at <keys.openpgp.org>. Once that has been done
we can update the manual and HACKING to point at this.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-07-03 18:13       ` Leo Famulari
@ 2019-07-13 18:29         ` Leo Famulari
  2019-07-17 20:40           ` dftxbs3e
  0 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2019-07-13 18:29 UTC (permalink / raw)
  To: Giovanni Biscuolo; +Cc: guix-devel

On Wed, Jul 03, 2019 at 02:13:12PM -0400, Leo Famulari wrote:
> An update on this:
> 
> The initial plan is to add the Guix signing key to the new
> abuse-resistant keyserver at <keys.openpgp.org>. Once that has been done
> we can update the manual and HACKING to point at this.

This didn't happen, but the instructions have been changed to suggest
fetching the key directly from Savannah [0]. Additionally, the docs
about where to put one's commit signing key have also been updated [1].

[0]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ffae5a7946912ffd69dd4b608576cf2d75931fb2

[1]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=06e1ecbf17fee7fe513ad2808d8175fb3565ae3e

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-07-13 18:29         ` Leo Famulari
@ 2019-07-17 20:40           ` dftxbs3e
  2019-07-18  8:03             ` Ricardo Wurmus
  0 siblings, 1 reply; 10+ messages in thread
From: dftxbs3e @ 2019-07-17 20:40 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel, Guix-devel

Le 2019-07-13 20:29, Leo Famulari a écrit :
> On Wed, Jul 03, 2019 at 02:13:12PM -0400, Leo Famulari wrote:
>> An update on this:
>> 
>> The initial plan is to add the Guix signing key to the new
>> abuse-resistant keyserver at <keys.openpgp.org>. Once that has been 
>> done
>> we can update the manual and HACKING to point at this.
> 
> This didn't happen, but the instructions have been changed to suggest
> fetching the key directly from Savannah [0]. Additionally, the docs
> about where to put one's commit signing key have also been updated [1].
> 
> [0]
> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ffae5a7946912ffd69dd4b608576cf2d75931fb2
> 
> [1]
> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=06e1ecbf17fee7fe513ad2808d8175fb3565ae3e

Hello,

https://guix.gnu.org/manual/en/html_node/Binary-Installation.html still 
recommends to download using keyservers.

Might want to update that as well.

Thank.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-07-17 20:40           ` dftxbs3e
@ 2019-07-18  8:03             ` Ricardo Wurmus
  2019-07-18  8:58               ` Julien Lepiller
  0 siblings, 1 reply; 10+ messages in thread
From: Ricardo Wurmus @ 2019-07-18  8:03 UTC (permalink / raw)
  To: dftxbs3e; +Cc: guix-devel


dftxbs3e@free.fr writes:

> https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
> still recommends to download using keyservers.

This is the manual corresponding to the latest release, which did not
include the change.  I think it would be warranted to change this even
though the online manual would not correspond to any release then, just
as we did it for the 1.0.0 release which included an installer bug.

--
Ricardo

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Suggest another way of importing GNU Guix GPG key
  2019-07-18  8:03             ` Ricardo Wurmus
@ 2019-07-18  8:58               ` Julien Lepiller
  0 siblings, 0 replies; 10+ messages in thread
From: Julien Lepiller @ 2019-07-18  8:58 UTC (permalink / raw)
  To: guix-devel, Ricardo Wurmus, dftxbs3e

Le 18 juillet 2019 10:03:18 GMT+02:00, Ricardo Wurmus <rekado@elephly.net> a écrit :
>
>dftxbs3e@free.fr writes:
>
>> https://guix.gnu.org/manual/en/html_node/Binary-Installation.html
>> still recommends to download using keyservers.
>
>This is the manual corresponding to the latest release, which did not
>include the change.  I think it would be warranted to change this even
>though the online manual would not correspond to any release then, just
>as we did it for the 1.0.0 release which included an installer bug.
>
>--
>Ricardo

We can do any change we want to the version-1.0.1 branch, it will be picked up, built and served automatically by the server.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2019-07-18  8:59 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-29 21:11 Suggest another way of importing GNU Guix GPG key dftxbs3e
2019-06-29 21:40 ` Alex Vong
2019-06-29 21:57   ` Christopher Lemmer Webber
2019-06-30  9:44   ` Giovanni Biscuolo
2019-07-02 15:54     ` Leo Famulari
2019-07-03 18:13       ` Leo Famulari
2019-07-13 18:29         ` Leo Famulari
2019-07-17 20:40           ` dftxbs3e
2019-07-18  8:03             ` Ricardo Wurmus
2019-07-18  8:58               ` Julien Lepiller

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.