From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:403:58f0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms1.migadu.com with LMTPS
	id IKfcBnSAImaH1gAA62LTzQ:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 19 Apr 2024 16:32:20 +0200
Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id IKfcBnSAImaH1gAA62LTzQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 19 Apr 2024 16:32:20 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=io+9nsxE;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1713537140;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=RoAdEra83je18avY1wdphXyg62IQYMVLNCS0ZLSG8W0=;
	b=XHi0DMnR9FLM5BDWSkOsYEPs6zrLzWg12G5Wzx/jxARuCH5kzyx/glcVYG6ZtdTsC3wyAu
	jz7szqXLOzyqsJVH822LHPpNGS7xm5vGGdno1K/XbEXu5QVWmic+92xZQopOsDQVav/AJr
	q0jQoAawejGDfyZ3yRaP4linsP3nrQBoJPhiy9b4+gazy0FApPCbB53cUgpiZ20QFhUe6W
	EyjjeBdmSI6XnFShVIPBI9s8taubm1wU7rXMI27rI0EyL5B6sKymVV+M3O3rywSgY5Mvj1
	25dJetlTYjq3yULGLz5UBt9jbbPq/s2QJfiwFWd0aWtZUy/cUz/FmIpe95Pbkg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=io+9nsxE;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1713537140; a=rsa-sha256; cv=none;
	b=es/TW4UrHkJzgh/bGLNk+g6qff6QkIrPDtxoHFOy2hkyEfexUW7ONx6IYYFydhXfxbyAyj
	GRAbrl+XYPODXRmmY5DOea2SWsrNusWaoWHsc+IVm1VA98e+ZTJihouRKdmQJ5PLAybrV2
	q0KnKUQySfJA9D0gVU94Z50x5cDODBdKau9ZGiKl2x8jogMUeBUracouE5gM59/NqNkK3g
	I5oSpTDaX1ERbz4NcsoexfkrqKJFvLrcpz0lRBZZeG71m//lAvCjifFMki1d3RFF6JuFv0
	4mbpBeOc/lpfW5ax+Wr5hQz1f7ynw6P/ol2NEfvXsnNBzb4yFS6T90W5QEJmiA==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id BE7513968
	for <larch@yhetil.org>; Fri, 19 Apr 2024 16:32:19 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1rxpHG-00073E-DZ; Fri, 19 Apr 2024 10:31:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1rxpHE-000734-Og
 for guix-devel@gnu.org; Fri, 19 Apr 2024 10:31:44 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1rxpHA-0000Ve-Sl; Fri, 19 Apr 2024 10:31:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=RoAdEra83je18avY1wdphXyg62IQYMVLNCS0ZLSG8W0=; b=io+9nsxEu3ofYxQ8XxbB
 hk0M9OCQlCG+ynZWXSyumEgrdidIoPEVr2rJh6rsWdXhdOCmW14E+4ysAfyfIdFy9bb8ZVcEvWX/A
 3UEg19m1hw7Ls6PBZgM9mB67zcFuWSCczOksZrVWoxyk/XdTMq1BFhWvuHkvuGK6jXvH0DrUe7lXW
 9ETgQAcyuVC15Hy6jQu1YVYHfWMGjnKXx8TPiCQyqKU1OBQQMnWBgYDdIuXGTXjh7Jld+z4M7CTZ1
 We0nbEFaWvMq9xLIBEj/F4rQMavemwl0DACIGC9PRr+3x2f+QxOQEgMSHHZ4VUm5hVzh04PVYCKvy
 /4tDbtZ+wI9qzQ==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Skyler Ferris <skyvine@protonmail.com>
Cc: Andreas Enge <andreas@enge.fr>,  Ekaitz Zarraga <ekaitz@elenq.tech>,
 Attila Lendvai <attila@lendvai.name>,  Giovanni Biscuolo <g@xelera.eu>,
 Guix Devel <guix-devel@gnu.org>
Subject: Re: backdoor injection via release tarballs combined with binary
 artifacts (was Re: Backdoor in upstream xz-utils)
In-Reply-To: <fac0c932-0dc6-4acf-b2d5-e82a3ffa66e6@protonmail.com> (Skyler
 Ferris's message of "Sat, 13 Apr 2024 00:14:17 +0000")
References: <87ttkon4c4.fsf@protonmail.com>
 <KRd7y7M0o1HQsUlHonV0ZJDzgHgrAh6Mn1dnSvKq9RBCgBRTcy-MlK9Ai6PJPmiwzTh59wNVrAioo3n0uSrZ4r3n-YX9JOhtX6V6E1P37PQ=@protonmail.com>
 <8734s1mn5p.fsf@xelera.eu> <87zfu9ku4l.fsf@xelera.eu>
 <nONOKK2qA2Y-irHHtLLp7qaWIL0zSvvDHIZZ1j5qTfPMLqpG4jHzZfX_naiK81C32CVpzeM_b3zPgGblw5GosJwre5wLQXJHp7k9M8DlQQc=@lendvai.name>
 <6e743725-26f0-669c-b088-e56c850110c8@elenq.tech>
 <87wmp5l3r3.fsf@gnu.org> <Zhfa6vsp0c0x7ml8@jurong>
 <8076578a-bebd-0f26-6d39-f634ded290ce@elenq.tech>
 <ZhfqfMcKgBSq6PDQ@jurong>
 <fac0c932-0dc6-4acf-b2d5-e82a3ffa66e6@protonmail.com>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Primidi 1 =?utf-8?Q?Flor=C3=A9al?= an 232 de la
 =?utf-8?Q?R=C3=A9volution=2C?= jour de la Rose
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 19 Apr 2024 16:31:37 +0200
Message-ID: <87edb1e852.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -9.07
X-Migadu-Scanner: mx11.migadu.com
X-Spam-Score: -9.07
X-Migadu-Queue-Id: BE7513968
X-TUID: DL+eo6cpcEhW

Hi,

Skyler Ferris <skyvine@protonmail.com> skribis:

> In short, I'm not sure that we actually get any value from checking the=20
> PGP signature for most projects. Either HTTPS is good enough or the=20
> attacker won. 99% of the time HTTPS is good enough (though it is notable=
=20
> that the remaining 1% has a disproportionate impact on the affected=20
> population).

When checking PGP signatures, you end up with a trust-on-first-use
model: the first time, you download a PGP key that you know nothing
about and you authenticate code against that, which gives no
information.

On subsequent releases though, you can ensure (ideally) that releases
still originates from the same party.

HTTPS has nothing to do with that: it just proves that the web server
holds a valid certificate for its domain name.

But really, the gold standard, if I dare forego any form of modesty, is
the =E2=80=98.guix-authorizations=E2=80=99 model as it takes care of key di=
stribution as
well as authorization delegation and revocation.

  https://doi.org/10.22152/programming-journal.org/2023/7/1

Ludo=E2=80=99.