From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 6LJ4N4MI4mMceAEAbAwnHQ (envelope-from ) for ; Tue, 07 Feb 2023 09:15:00 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id OKO2NoMI4mPHiQAAG6o9tA (envelope-from ) for ; Tue, 07 Feb 2023 09:14:59 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 493C2116E8 for ; Tue, 7 Feb 2023 09:14:59 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pPJ7Y-0007aV-M7; Tue, 07 Feb 2023 03:14:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pPJ7S-0007Y1-OE for guix-devel@gnu.org; Tue, 07 Feb 2023 03:14:27 -0500 Received: from uggla.sjd.se ([2001:9b1:8633::107]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pPJ7P-0006A1-Uc for guix-devel@gnu.org; Tue, 07 Feb 2023 03:14:26 -0500 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2110; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description; bh=KMvW2KhVUK277ohRN+c4sQJ+O2mNmL6APEb13ch4xA0=; t=1675757663; x=1676967263; b=FJFzcSLuvOrujKZpbkyMvMNKgYWxHMtQmNP6DhiuJrKxcI7 5cm4b1hjFDXgg8VVyFu6MXUeAGE89UQn9yPV9AQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2110; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description; bh=KMvW2KhVUK277ohRN+c4sQJ+O2mNmL6APEb13ch4xA0=; t=1675757663; x=1676967263; b=rCL8YorV/LG7bTix59hwoQkL6XdgyqwI4QC/waaHwrWYslz x0HgG9WNHVtrVe3reKGjqMq9TfmoWs9AX4NCc1n+DuVDvYi2+6uY9o2ORai+o+PDiwAEmmrSfzssX J5nwdWbDxlAQXn8lQ1k40TbGKHdYskj+LtDuTulTLTKJYSoDQvfVZQAbcwjt5kAyHvL4AzRnmNI3G z/heB0SqDwgDMgCT81imvjg8fvKRkn5zzcs9XBizoiXT8PvqvfAWGyX6Vw6YO4b8EPvQHIa3m13Wn 9L5bfQAVJua9gnnlLXiymcGaQqq8FhkvT6vUl41edauPPf9f8ex58sRGyrOH/d5DkKjdjPi5BvO0F TQTSz3Og4ucxoBE9ClTmxtYM7d1+QcCeiVnjDJrUygwkF45BJQ3S2ZBvHk/sNKcd9VJ+K7OtVm43P uCoQZCgM5NJG+SK7xNWtf2s0; Received: from [2001:9b1:41ac:ff00:d7d2:292:9cde:7cd9] (port=41156 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pPJ7L-00D0lB-6Z for guix-devel@gnu.org; Tue, 07 Feb 2023 09:14:19 +0100 X-Hashcash: 1:22:230207:guix-devel@gnu.org::1NcG/pJVgUcwgK/n:c8UX To: guix-devel@gnu.org Subject: Protect against 'guix pull' providing stale data OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt Date: Tue, 07 Feb 2023 09:14:18 +0100 Message-ID: <87cz6lzycl.fsf@kaka.sjd.se> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2001:9b1:8633::107; envelope-from=simon@josefsson.org; helo=uggla.sjd.se X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Simon Josefsson From: Simon Josefsson via "Development of GNU Guix and the GNU System distribution." Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2110 header.b=FJFzcSLu; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2110 header.b=rCL8YorV; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1675757699; a=rsa-sha256; cv=none; b=fhCmEBu/tVt+V2a6j+gg+RtD6Nu8N1W6YUVNCWhi2gqG3gNtZPDkudtEA2ydGQOzNq925Y FriokQz/D9biK/AoCI4IWaUqa6u7gerKq/MrBjmxa/l0K4nhszd/cDhrqbtXk/F7ARs07m 4YaJMWkXzj+ZGf00OA0C3FYY8JGsibdNDmAzRWQILXjJjXnmIUbVtymJoAgvlFOIfHblNm akCvh8QYn3DVM6XVSg2vDi3C67/OymJ0zVIbVP0LnovCklWMQHzwRxBrmS6jEhK4HWdVt1 mZAgqfrGQZKgDjeqB+lwB7K/Im+iESzSGfRiyMNFKYVTLd4iJHA6lMhptvpLOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1675757699; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature:openpgp:openpgp; bh=KMvW2KhVUK277ohRN+c4sQJ+O2mNmL6APEb13ch4xA0=; b=bjflByJFkfMYIkN7CoQ81nk97+ndGWuB9wPPreZjgfUMakMLNSUPrdYl3YkSE5SzuWJt/g +i6cVZuzouXJSAP7KS/QOkLKU6PV+k5odLNV74vfGOKYlOaL4MKU3YdF7e9nu5xdaZLk9v dqyITihNAnsydEzwvg4HALFHFEKRuBIYdVIa9nqeoXis18SbpzwmfN86Cwu5hLqKfdQzfc eWUEIAdzpVIanEWIhhqdjpZqdUk0B3dp69fQjjEpapKLQz3hZQkFtZ1zyPUtY0oR5wq2pD xcdSltS9iS53uTVp00uI/kAZF9+PH7egWe8AquaTbNYpROBk086mIS5HJZzAYQ== X-Migadu-Spam-Score: -5.69 X-Spam-Score: -5.69 X-Migadu-Queue-Id: 493C2116E8 X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers eddsa verify failed") header.d=josefsson.org header.s=ed2110 header.b=FJFzcSLu; dkim=fail ("headers rsa verify failed") header.d=josefsson.org header.s=rsa2110 header.b=rCL8YorV; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org X-TUID: 8FW/R0oqWZAZ --=-=-= Content-Type: text/plain Hi all, I was watching https://fosdem.org/2023/schedule/event/security_where_does_that_code_come_from/ and one concern that came up was that there is no protection or mitigation against 'guix pull' servers providing machines old data, to (for example) stall security updates from reaching a server. Currently the Savannah sysadmins have the power to delay security updates for my machine. I think this should be considered a unwanted behaviour that warrant some action, either tooling improvement or documentation. There are many ways to improve the situation, even though addressing the problem completely is difficult (most if not all GNU/Linux distributions have similar issues). Some ideas: * Warn if the repository has not since a commit for > 7 days, with the delay being configurable. This may be a bad idea: warnings are generally not appreciated by users, security warnings specially so. * Have 'guix pull' show metadata for the last commit it received (e.g., show output from: git log -1) to give users a way of noticing that it is not seeing new data. Currently only the git commit id is shown which does not convey enough information. * Adopt a way for repositories to state the validity period of its content to have the 7 days a bit configurable, compare for example: https://wiki.debian.org/DebianRepository/Format#Date.2C_Valid-Until The idea being that 'guix pull' would fail if the repository hasn't been touched after the specified interval end, causing the user notice and take action. The maximum interval provided by the repository should probably be limited by a locally configured maximum delay the user is willing to only see old data. This brings up other concerns (what if someone steals an OpenPGP signing key and changes it to 70000 days and pushes that out to one machine only based on IP address, and then stalls that machine from updating again) but it seems to provide decent user experience and some good protection by default. Protecting against OpenPGP key breaches can be mitigated by other means, and shouldn't be a strong argument this improvement to stale servers. * Have a third party, or even decentralized system, monitoring service where each client can compare the commit data they got from 'guix pull' with what everyone else is seeing. This provides global consistency of what Guix machines are seeing for the Guix repositories, similar to Certificate Transparency. This protect against targetted stale data attacks only, but that may be sufficient: any non-targetted stale data attack is likely to be noticed by Guix maintainers. This would also protect against substitution attacks, although I'm not sure if Guix protects against them by other means? I'm thinking a malicious savannah could send me core-updates instead of master, but call it master to my machine, and I'll not notic that I got a different branch instead. Does 'guix authenticate' verify meta-data such as git branch in a way where the server cannot fake this data? There are many other ideas too. Thoughts? /Simon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCY+IIWhQcc2ltb25Aam9z ZWZzc29uLm9yZwAKCRBRcisI/kdFov/uAP9SyJqZUeOEgYlxAcYvOyuhn3LlfrrM BAFM0egSl5rIkQEA11OifCECCO+7IlXV/nvVQtnPxhgFzo314RltlDEzqw4= =pqKM -----END PGP SIGNATURE----- --=-=-=--