From mboxrd@z Thu Jan  1 00:00:00 1970
From: Nikita Karetnikov <nikita@karetnikov.org>
Subject: Re: New =?utf-8?Q?=E2=80=9Cguix_refresh=E2=80=9D?= command
Date: Fri, 10 May 2013 04:29:25 +0400
Message-ID: <87bo8jfziy.fsf@karetnikov.org>
References: <87ehdzlg89.fsf@gnu.org> <87d2t2ehnp.fsf@karetnikov.org>
	<87d2t24ejj.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([208.118.235.92]:39924)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <nikita@karetnikov.org>) id 1UabAN-0005Gm-OU
	for bug-guix@gnu.org; Thu, 09 May 2013 20:26:35 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <nikita@karetnikov.org>) id 1UabAK-0001CP-Tp
	for bug-guix@gnu.org; Thu, 09 May 2013 20:26:31 -0400
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: bug-guix@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

> Objects aren=E2=80=99t malicious.  Perhaps you=E2=80=99re talking about s=
ituations where
> a mirror provides a tarball along with a valid signature, but said
> signature is made with a random key, and the tarball is actually not
> genuine, right?

Yep.

> Second, this is the same model as used by the OpenSSH client.  When the
> client is first introduced to a host, it presents you its key
> fingerprint, you type =E2=80=98y=E2=80=99, and that key gets added to you=
r known hosts
> file.  From there on, person-in-the-middle attacks are trivially
> detected as a key mismatch.

AFAICT, 'guix refresh' doesn't allow to check fingerprints.  If so, we
must change it.

Am I mistaken?  I'm not sure because it fails on my machine:

# ./pre-inst-env guix refresh -u

[...]

In execlp of gpg2: No such file or directory
guix refresh: warning: signature verification failed for `guile-2.0.9.tar.g=
z'
guix refresh: warning: (could be because the public key is not in your keyr=
ing)
gnu/packages/guile.scm:48:12: guile: updating from version 1.8.8 to version=
 2.0.9...
Backtrace:
In ice-9/boot-9.scm:
 157: 12 [catch #t #<catch-closure 954b170> ...]
In unknown file:
   ?: 11 [apply-smob/1 #<catch-closure 954b170>]
In ice-9/boot-9.scm:
  63: 10 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
 432: 9 [eval # #]
In ice-9/boot-9.scm:
2320: 8 [save-module-excursion #<procedure 93f9e80 at ice-9/boot-9.scm:3961=
:3 ()>]
3966: 7 [#<procedure 93f9e80 at ice-9/boot-9.scm:3961:3 ()>]
In unknown file:
   ?: 6 [load-compiled/vm "/root/.cache/guile/ccache/2.0-LE-4-2.0/home/guix=
-test2/scripts/guix.go"]
In guix/ui.scm:
 417: 5 [guix-main "/home/guix-test2/scripts/guix" "refresh" "-u"]
In ice-9/boot-9.scm:
 157: 4 [catch srfi-34 #<procedure 9858520 at guix/ui.scm:138:2 ()> ...]
In srfi/srfi-1.scm:
 619: 3 [for-each #<procedure 98580e0 at guix/scripts/refresh.scm:151:22 (p=
ackage)> ...]
In guix/scripts/refresh.scm:
 167: 2 [#<procedure 98580e0 at guix/scripts/refresh.scm:151:22 (package)> =
#]
In ice-9/boot-9.scm:
 788: 1 [call-with-input-file #f ...]
In unknown file:
   ?: 0 [open-file #f "r" #:encoding #f #:guess-encoding #f]

ERROR: In procedure open-file:
ERROR: Wrong type (expecting string): #f

> It=E2=80=99s exactly what I would do manually.  What about you?

It depends.  I usually use a similar page [1] to compare fingerprints
and also check via keys.gnupg.net.  Sometimes I try to get more
information elsewhere.  Again, the sad truth is that it's easier not to
sign an ingenuine tarball at all.

>> Is it possible to use three mirrors to check keys and tarballs?

> Check against what?  What do you want to address?

Check them against each other.  But it's not the case because 'guix
refresh' uses one server per package.

> I=E2=80=99ve made this suggestion to one of the FSF sysadmins, but it see=
ms to
> need further discussion, and probably input from crypto-savvy people.

OK.=20

[1] http://gcc.gnu.org/mirrors.html

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJRjD9uAAoJEM+IQzI9IQ38ebcP/Rio6U/NrhxHO0o45a2I779r
Gs3fSULe0Vtu6VUN7pLURZGQSQK9nISt/oaRunP/XUybyo3zxKTzLqGKb3xykYLx
jw7QxGc2DuFLVYUjkWn4EsAOclp0qNmzT9iaKTIwGa4Olr2bnD2iWXSyEFnFaIfx
t2b7wncNYqvxpGE8yiMvS38ca5SEY6TKE197BuPrZwNWClXnt1yhulXjFGXLlXMM
hwa2rbuPFMwYdcXvurHnzPVJnOEJoJZJRllgRCwT6WQnacK3n7ETXnruK3qai/na
nOITLj1F6r8N3raKCESqCt1EMduFOfhp4u4uwMddPJbTnHCZGtJvx0Oti4E4or33
1XlRW8+bozqckjW6ikqQdzEWbaJdTsOi8zxKUcaUQ4AsdYtsJsGUtUP+HEOpxNeK
DaN8xKgIj9aawBJIrrXzxMKU14dwHI5FTDQsV+/TypKc9/PYURRhT/OTGs4itjyu
J0O83u/lGNqVxuhz96UwIFMShmzZDzX+6bvJhVPsSAE45/MIfHFW/3OW6T+mMxNE
u1p3x+UE0jA1DVGhI7OYrJePzyy+j/I3qaZvvI6se0f5SXI2J+CMRmItgXPq0N2w
Fdsvo0+P4sNe3d6ynJGJrjd+s0sonvoTsK3EvAh/lCLB99jQmx6jSmaVWzAXDgb4
yYlnuob6JenqDC8clEan
=URTY
-----END PGP SIGNATURE-----
--=-=-=--