From: ludo@gnu.org (Ludovic Courtès)
To: Nikita Karetnikov <nikita@karetnikov.org>
Cc: bug-guix@gnu.org
Subject: Re: New “guix refresh” command
Date: Fri, 10 May 2013 15:11:34 +0200 [thread overview]
Message-ID: <87obcjt1x5.fsf@gnu.org> (raw)
In-Reply-To: <87bo8jfziy.fsf@karetnikov.org> (Nikita Karetnikov's message of "Fri, 10 May 2013 04:29:25 +0400")
Nikita Karetnikov <nikita@karetnikov.org> skribis:
>> Objects aren’t malicious. Perhaps you’re talking about situations where
>> a mirror provides a tarball along with a valid signature, but said
>> signature is made with a random key, and the tarball is actually not
>> genuine, right?
>
> Yep.
>
>> Second, this is the same model as used by the OpenSSH client. When the
>> client is first introduced to a host, it presents you its key
>> fingerprint, you type ‘y’, and that key gets added to your known hosts
>> file. From there on, person-in-the-middle attacks are trivially
>> detected as a key mismatch.
>
> AFAICT, 'guix refresh' doesn't allow to check fingerprints. If so, we
> must change it.
It doesn’t ask you to type ‘y’, but it does display the key fingerprint
when it first downloads it (well, gpg does.)
> Am I mistaken? I'm not sure because it fails on my machine:
>
> # ./pre-inst-env guix refresh -u
>
> [...]
>
> In execlp of gpg2: No such file or directory
You need to have GnuPG 2.x installed:
guix package -i gnupg
> guix refresh: warning: signature verification failed for `guile-2.0.9.tar.gz'
> guix refresh: warning: (could be because the public key is not in your keyring)
> gnu/packages/guile.scm:48:12: guile: updating from version 1.8.8 to version 2.0.9...
(Of course it shouldn’t try to update 1.8 to 2.0; future work...)
[...]
> In guix/scripts/refresh.scm:
> 167: 2 [#<procedure 98580e0 at guix/scripts/refresh.scm:151:22 (package)> #]
> In ice-9/boot-9.scm:
> 788: 1 [call-with-input-file #f ...]
> In unknown file:
> ?: 0 [open-file #f "r" #:encoding #f #:guess-encoding #f]
>
> ERROR: In procedure open-file:
> ERROR: Wrong type (expecting string): #f
I’ve just changed it to gracefully handle this case.
>> It’s exactly what I would do manually. What about you?
>
> It depends. I usually use a similar page [1] to compare fingerprints
> and also check via keys.gnupg.net.
Well, it’s not clear that checking the checksum published on a web page
adds much to checking against a freshly download tarball (a sufficiently
motivated attacker could just as well be serving you a modified web
page, after all.)
>>> Is it possible to use three mirrors to check keys and tarballs?
>
>> Check against what? What do you want to address?
>
> Check them against each other. But it's not the case because 'guix
> refresh' uses one server per package.
Hmm I tend to think this is unneeded paranoia, because such things are
eventually checked by all of us anyway.
(BTW, keep in mind that Git commits are not signed. That would be by
far the easiest attack vector.)
Ludo’.
next prev parent reply other threads:[~2013-05-10 13:11 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-24 22:24 New “guix refresh” command Ludovic Courtès
2013-04-25 21:27 ` Ludovic Courtès
2013-04-26 16:16 ` Andreas Enge
2013-04-27 9:43 ` Ludovic Courtès
2013-04-27 10:11 ` Andreas Enge
2013-04-27 21:04 ` Ludovic Courtès
2013-04-27 21:14 ` Andreas Enge
2013-04-27 22:35 ` Ludovic Courtès
2013-04-29 21:27 ` Ludovic Courtès
2013-04-30 15:54 ` Andreas Enge
2013-05-07 19:03 ` Nikita Karetnikov
2013-05-07 22:21 ` Ludovic Courtès
2013-05-10 0:29 ` Nikita Karetnikov
2013-05-10 13:11 ` Ludovic Courtès [this message]
2013-05-10 22:54 ` Nikita Karetnikov
2013-05-11 10:10 ` Ludovic Courtès
2013-05-11 14:05 ` Nikita Karetnikov
2013-05-24 10:19 ` Nikita Karetnikov
2013-05-24 12:54 ` Ludovic Courtès
2013-05-30 0:46 ` Nikita Karetnikov
2013-06-01 15:55 ` Ludovic Courtès
2013-06-02 22:29 ` Ludovic Courtès
2013-06-07 5:26 ` [PATCH] guix refresh: Add '--key-download' Nikita Karetnikov
2013-06-07 16:19 ` Ludovic Courtès
2013-06-08 11:19 ` Nikita Karetnikov
2013-06-08 14:48 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87obcjt1x5.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=bug-guix@gnu.org \
--cc=nikita@karetnikov.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.