From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id yACPL3k3GmY9ZAEA62LTzQ:P1 (envelope-from ) for ; Sat, 13 Apr 2024 09:42:49 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id yACPL3k3GmY9ZAEA62LTzQ (envelope-from ) for ; Sat, 13 Apr 2024 09:42:49 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1712994169; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=Eye+AAVbyEC8yhUcJQZ70h6FJO7exgs8YeR6GVx1Tjg=; b=t2r+A/SgIyYbg7eZXtyLD1Ts+pFh6ZGqgh2/DLCeq1DK3fiLw3MlM1Pk0s6DT+kENpz8vk 1p2O1cooivjBW/YiIbx/gqpb1Whl/fBLem3ZOAP7WT70u7DpaLlQvGacn1o4FxGRo2jvPe rOuLq+z8MbsY0OgIhUI14V+8hGlcfueTu6yfN2KpvkNt5n4m4gHI1DmhbOYrSJS6fuFo06 KaaEutrvXqT5sK4Z7p6l+zwnhynjVIVuzvwSfS9fDRCbooK7cxhF0zzKQWZbk2BaF4aB47 c5fGVD7etvhcOvRqBM1TbVPl1LsYyZPndsF51jIirZMA/ITVRRlMK8gvRBkJMg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1712994169; a=rsa-sha256; cv=none; b=HqI1jKo2dgs4LpPdojumwEDUL4Vj+QeXOGdIvfO5GI2xV1sbY6T1lub7hjQRR3r62HFe6e PLjL1OsY/ZnMVCX7mWfWIYTA3t/D2lKS7MQoad2fKG5qd3bcgCxfzn/WalUfqEVf8vQ4lt OeokoCQK2xfyi4kDCxeC/MBIeGSHTV0VI08AOscPnQ12MvI9mlj2CGmFu445CJllNPg5jV 9U8lIsPaKpXcq5K767/Auo2TwNVznVPwyDOi5/q2J8UdyzajTKa9/QkUg0P0VgbcSQlRsh 9SvANuu8LuTLiAPYF4dgMph+gggcMQTTW5BghyqTGGkYFn9qUFgK6l+n//rsXA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 82457395C8 for ; Sat, 13 Apr 2024 09:42:49 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rvY1k-0001r3-4B; Sat, 13 Apr 2024 03:42:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rvY1i-0001qT-HD; Sat, 13 Apr 2024 03:42:18 -0400 Received: from ns13.heimat.it ([46.4.214.66]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rvY1d-0003Ak-7T; Sat, 13 Apr 2024 03:42:18 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id B384D3007E0; Sat, 13 Apr 2024 07:42:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJWu1N7yZulJ; Sat, 13 Apr 2024 07:42:08 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.217]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 5789830022D; Sat, 13 Apr 2024 07:42:08 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id A739630DA272; Sat, 13 Apr 2024 09:42:07 +0200 (CEST) Received: (nullmailer pid 2533 invoked by uid 1000); Sat, 13 Apr 2024 07:42:07 -0000 From: Giovanni Biscuolo To: Attila Lendvai Cc: guix-security@gnu.org, Guix Devel Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) In-Reply-To: Organization: Xelera.eu References: <87ttkon4c4.fsf@protonmail.com> <8734s1mn5p.fsf@xelera.eu> <87zfu9ku4l.fsf@xelera.eu> <87msq8kthb.fsf@xelera.eu> Date: Sat, 13 Apr 2024 09:42:06 +0200 Message-ID: <87v84liu9d.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -6.97 X-Migadu-Scanner: mx11.migadu.com X-Spam-Score: -6.97 X-Migadu-Queue-Id: 82457395C8 X-TUID: qTrCzpU9u08A --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Attila, sorry for the delay in my reply, I'm asking myself if this (sub)thread should be "condensed" in a dedicated RFC (are RFCs official workflows in Guix, now?); if so, I volunteer to file such an RFC in the next weeks. Attila Lendvai writes: >> Are there other issues (different from the "host cannot execute target >> binary") that makes relesase tarballs indispensable for some upstream >> projects? > > > i didn't mean to say that tarballs are indispensible. i just wanted to > point out that it's not as simple as going through each package > definition and robotically changing the source origin from tarball to > git repo. it costs some effort, but i don't mean to suggest that it's > not worth doing. OK understood thanks! [...] > i think a good first step would be to reword the packaging guidelines > in the doc to strongly prefer VCS sources instead of tarballs. I agree. >> Even if We=E2=84=A2 (ehrm) find a solution to the source tarball reprodu= cibility >> problem (potentially allowing us to patch all the upstream makefiles >> with specific phases in our packages definitions) are we really going to >> start our own (or one managed by the reproducible build community) >> "reproducible source tarballs" repository? Is this feaseable? > > but why would that be any better than simply building from git? which, > i think, would even take less effort. I agree, I was just brainstorming. [...] Thanks, Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmYaN04MHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkSOM8QAJ5o2uYy9GFtGzEknUmVWsQjWtRWdEbW6Ph9xjTP rEwWaii5yHjKxd9sNw6WOW5cY2zHvNQRIixnWlyhM0IVRSa4cKL82+LE2Eistv86 wiBETs4s+xgVgx2dZHq8FpBkpQo2UOTdPIriiilRWLFtHPaFoFoUA8eogQ1huucR QRTpm/MpsOQayC3hGbQTWODhxh8iZLANjESP2RYQdFYzxhpRocZHZCaOpqtnExUq Rc97xT91e0afMmRSM/iAOw01dwb2oPhCcw48Lyd68B9RVF4gweI7AvGVnL4mL4ey B+9kX3qTbm0jezSrwDC0kWdL30MxzJSGAZ43dfB38slhXyvtpd43qXkBT7TFDWPc Ep0TWGCZBG/ofAplBGiYk+V24K2u9plH7Fh1E7HgXvduq0Pkh/Th3l2NTAvC06BM dJwFb0auVDP1yRuulH1Q+40vdeGidzzFe9S6fec1WX8d0j8p/egkPM1R/a5Fqia6 86jWX0RgTvZ+nOnitB53Qo5cbR52zauM31Ze/lja2xrtUDgc0VLDx7kVue0mDE1D X8sER5GJvv2EB4NYQtNJNzKdNx7jPFBYvMndYQEfNNP08sTcF2cBAC944zN1RSMj Z1LElhmFtwHE04l1xC2fZuzY0n+HhtrLCHJJvWqFHdfMmnt+ZLtyVj9VcDoKjuI8 imG8 =GDJ6 -----END PGP SIGNATURE----- --=-=-=--