From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id oAm4IM7ZDmbVIQAA62LTzQ:P1 (envelope-from ) for ; Thu, 04 Apr 2024 18:48:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id oAm4IM7ZDmbVIQAA62LTzQ (envelope-from ) for ; Thu, 04 Apr 2024 18:48:14 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712249294; a=rsa-sha256; cv=none; b=alKpWx5uEBlXJ18OZ8sPQd3RPvfFsZNTeQQXsI7EvTnWeVvyfhrIWpk/YD7NIGsXut2AP+ +XllEI2ABCaKiAdHcEkOY9EePUevepGcAca8U8Nh7+icysL8HjCTvPhrKMx359h7dklwK1 oe8JwvdS72IsFzbQXAuF2s4SoYtVFMvV232uKNARfM5ccd6QiueNPogaxPmK+3GUbhJw/I 6u6lPHJeXnwTYUj1h3aM1VO6nOjzqvnuA90/zHbJ+9qSTdJ3QeDKo4DfEsZCZtDG6mup4S rDt6879L6WVv2Ueb2fGccGf/EW3TTdoQceIAv8pF1H857h4hVVg1ou+SDTrz1g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712249294; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=rJt8+Pg8yM1iG1V4cqEcPjmGCuI5rm+J2h6ePQMUNuU=; b=dDP4i3Twh1VVkDJpGiXg8w2iHvwC8rrkU3Cth9Qm+hG1tNTqnCwWA5G6kut9NrC+3y+PeQ 48hckMsRKbjBvbiQndUr927JfamLxhNeBRba6HAD95nCdt9PbmRUdReFexDSxVL6UtT+pw 7qABSQz8hTSKAzSgxquHSLvZDNcNVDNJ+mhw2giw0oaJn3ZwyHAZk/9adKcmS0roDuezUZ p2Dyt7KW2GgPJRedjmOCZaOEwAvorpFQ4MGVor4YQKx8KRjGMrpqjljm0VXUYiyEVoVCbu StpDWKt7jJmUTBFddh2waFEv0TXagIhXrSa5fXqGwY3kWj8NEwzYv6NPn3p+Ag== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6FAA26CD6B for ; Thu, 4 Apr 2024 18:48:14 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rsQFc-00011A-Qn; Thu, 04 Apr 2024 12:47:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rsQFb-00010g-AJ; Thu, 04 Apr 2024 12:47:43 -0400 Received: from ns13.heimat.it ([46.4.214.66]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rsQFZ-0008QY-PB; Thu, 04 Apr 2024 12:47:43 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id DE93E30081F; Thu, 4 Apr 2024 16:47:39 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lnu--aiCVsYq; Thu, 4 Apr 2024 16:47:38 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 7769030081A; Thu, 4 Apr 2024 16:47:38 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 15BAA307E9CF; Thu, 4 Apr 2024 18:47:38 +0200 (CEST) Received: (nullmailer pid 27354 invoked by uid 1000); Thu, 04 Apr 2024 16:47:37 -0000 From: Giovanni Biscuolo To: Attila Lendvai Cc: Guix Devel , guix-security@gnu.org Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) In-Reply-To: Organization: Xelera.eu References: <87ttkon4c4.fsf@protonmail.com> <8734s1mn5p.fsf@xelera.eu> Date: Thu, 04 Apr 2024 18:47:37 +0200 Message-ID: <87sf01krbq.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Spam-Score: -6.12 X-Migadu-Queue-Id: 6FAA26CD6B X-Migadu-Spam-Score: -6.12 X-Migadu-Scanner: mx10.migadu.com X-TUID: 5JaiLZlLU6hM --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Attila, Attila Lendvai writes: >> Also, in (info "(guix) origin Reference") I see that Guix packages >> can have a list of uri(s) for the origin of source code, see xz as an >> example [7]: are they intended to be multiple independent sources to >> be compared in order to prevent possible tampering or are they "just" >> alternatives to be used if the first listed uri is unavailable? > > a source origin is identified by its cryptographic hash (stored in its > sha256 field); i.e. it doesn't matter *where* the source archive was > acquired from. if the hash matches the one in the package definition, > then it's the same archive that the guix packager has seen while > packaging. Ehrm, you are right, mine was a stupid question :-) We *are* already verifying that tarballs had not been tampered with... by other people but the release manager :-( [...] Happy hacking! Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmYO2akMHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkS4acQAJu4W17b3NgOuQQhM8qNPQ3gdva4kEPb4dfr3y8Y x/nz1joxiXD42XXiKLDGjMtcbXWCcoDfuaLVI/DJloFKP/19PdQxdn6V9rpHNSKM g9tVlOGdwEE+3iSCMd/hukLTWljrGFI8Y54R4RbFCOEj5TOAkpLEvUsipK2X/AKG j+rWN4tCdhfJ6qZpTVuZDrXxE6TyxXOmyeCuVP2tRano0bAebUSL5GFyCo9QL5cE IJTIlxnYJkean/9E5VjXWfFc/9ZUBIaHLewzipN8/WbtZyQYBTdXsjLULvNvZQVV 0ZhXZrXCCX/W/XaLRp+t0DLnRFxQ9NCISVBABma0NVjXyB7BLjUI7MCnxcuSONUu ZSTUMOv4ts6XiTp2ConFmo6O7NxBvKaLr+Ku/PUhmMIrGWB51NDWzGTecc55Asqz odl5FLJ16ApnyF+Ur3OKtxEpUcVAG2c0Qzrxp3MPtUpdMrn++P8bSoQVhDDu+GFf fBzz0f0SLFF86joRXxOu/b2iRXmbMzncj6L81rWIiCuJc3VLPr0KENO/aq8tCisc zG2I555HbTjb9vRU6oE+ZPqutZg+79t1QRzOUbl2+lPi4158VHf9Vyjk82gEc+7A yMPYchTbpW7ksV/mxEgiaD7P00QIt8GAvQHmAn1r80cCSoqOId6DqzCTdUSCzvM0 cLF8 =916Z -----END PGP SIGNATURE----- --=-=-=--