From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: New =?utf-8?Q?=E2=80=9Cguix_refresh=E2=80=9D?= command Date: Fri, 10 May 2013 15:11:34 +0200 Message-ID: <87obcjt1x5.fsf@gnu.org> References: <87ehdzlg89.fsf@gnu.org> <87d2t2ehnp.fsf@karetnikov.org> <87d2t24ejj.fsf@gnu.org> <87bo8jfziy.fsf@karetnikov.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([208.118.235.92]:56377) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Uan6x-00050S-Sd for bug-guix@gnu.org; Fri, 10 May 2013 09:11:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Uan6w-0002OK-8X for bug-guix@gnu.org; Fri, 10 May 2013 09:11:47 -0400 Received: from [2a01:e0b:1:123:ca0a:a9ff:fe03:271e] (port=50638 helo=xanadu.aquilenet.fr) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Uan6v-0002Ld-V6 for bug-guix@gnu.org; Fri, 10 May 2013 09:11:46 -0400 In-Reply-To: <87bo8jfziy.fsf@karetnikov.org> (Nikita Karetnikov's message of "Fri, 10 May 2013 04:29:25 +0400") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Nikita Karetnikov Cc: bug-guix@gnu.org Nikita Karetnikov skribis: >> Objects aren=E2=80=99t malicious. Perhaps you=E2=80=99re talking about = situations where >> a mirror provides a tarball along with a valid signature, but said >> signature is made with a random key, and the tarball is actually not >> genuine, right? > > Yep. > >> Second, this is the same model as used by the OpenSSH client. When the >> client is first introduced to a host, it presents you its key >> fingerprint, you type =E2=80=98y=E2=80=99, and that key gets added to yo= ur known hosts >> file. From there on, person-in-the-middle attacks are trivially >> detected as a key mismatch. > > AFAICT, 'guix refresh' doesn't allow to check fingerprints. If so, we > must change it. It doesn=E2=80=99t ask you to type =E2=80=98y=E2=80=99, but it does display= the key fingerprint when it first downloads it (well, gpg does.) > Am I mistaken? I'm not sure because it fails on my machine: > > # ./pre-inst-env guix refresh -u > > [...] > > In execlp of gpg2: No such file or directory You need to have GnuPG 2.x installed: guix package -i gnupg > guix refresh: warning: signature verification failed for `guile-2.0.9.tar= .gz' > guix refresh: warning: (could be because the public key is not in your ke= yring) > gnu/packages/guile.scm:48:12: guile: updating from version 1.8.8 to versi= on 2.0.9... (Of course it shouldn=E2=80=99t try to update 1.8 to 2.0; future work...) [...] > In guix/scripts/refresh.scm: > 167: 2 [# #] > In ice-9/boot-9.scm: > 788: 1 [call-with-input-file #f ...] > In unknown file: > ?: 0 [open-file #f "r" #:encoding #f #:guess-encoding #f] > > ERROR: In procedure open-file: > ERROR: Wrong type (expecting string): #f I=E2=80=99ve just changed it to gracefully handle this case. >> It=E2=80=99s exactly what I would do manually. What about you? > > It depends. I usually use a similar page [1] to compare fingerprints > and also check via keys.gnupg.net. Well, it=E2=80=99s not clear that checking the checksum published on a web = page adds much to checking against a freshly download tarball (a sufficiently motivated attacker could just as well be serving you a modified web page, after all.) >>> Is it possible to use three mirrors to check keys and tarballs? > >> Check against what? What do you want to address? > > Check them against each other. But it's not the case because 'guix > refresh' uses one server per package. Hmm I tend to think this is unneeded paranoia, because such things are eventually checked by all of us anyway. (BTW, keep in mind that Git commits are not signed. That would be by far the easiest attack vector.) Ludo=E2=80=99.