From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id yOOWK5qecGEmVwAAgWs5BA (envelope-from ) for ; Thu, 21 Oct 2021 00:56:26 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id ILr+JpqecGEtLgAAbx9fmQ (envelope-from ) for ; Wed, 20 Oct 2021 22:56:26 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3F384269D4 for ; Thu, 21 Oct 2021 00:56:26 +0200 (CEST) Received: from localhost ([::1]:45008 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mdKVV-0003ic-7Q for larch@yhetil.org; Wed, 20 Oct 2021 18:56:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46450) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdKTU-0002H6-OZ for guix-devel@gnu.org; Wed, 20 Oct 2021 18:54:20 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:34325) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdKTQ-0006c3-Jq for guix-devel@gnu.org; Wed, 20 Oct 2021 18:54:20 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 177535C01D9; Wed, 20 Oct 2021 18:54:14 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 20 Oct 2021 18:54:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=kDG1DAiNM1A9uj4WZKRp10Dc V76KMEKrKIldkJBj0Gk=; b=y+T67Do6bcbmviudOJrq3gDv2NVkH9MXUQlFB6/I Iv3rx7SJsQqt4IQzwN4iOgTy5uha9eCTUTmDUtL+dMqZr9Cm+bQ0q/wl63/Ckv3s RJ7QKMXlrzDd/7DZaU2A6NA55AgnaVJ6YVpmmu6cI3LZulGUrgq1E4pvYSdr69a7 8M4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=kDG1DA iNM1A9uj4WZKRp10DcV76KMEKrKIldkJBj0Gk=; b=CjVfAfGVM6EtWcv4PTfl4w Vs/fdsT7BafuC8zSXiX33q+qAzmOqt988gVE90b84fDYZH4otfG0L1pJKVHc+Ys3 H/odezP91YxU9H1lfO+9yGzUqZriYGRQfy3rL0zTDixOtgbTDsu6ZWnw8PQzvczd mCRli4pLXJ3V1DfBVG7xERntgDhyGbmTww3GRBnO//JqcIjJ6aOlaGWCax9XCqdP 7UdRYWyjd92KVnXN7agcTDTIoXYBB1VZTEhzFKERVtTlk1noNGV5+ihMMJrXEZd3 l/efIxOdlbO4TtBDBYYVm6af3Xf2KVrUwLKYX2E7eeb8y0a1UZGqjZyzfr/41yMg == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddvhedgudduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff teenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 20 Oct 2021 18:54:13 -0400 (EDT) Date: Wed, 20 Oct 2021 18:54:11 -0400 From: Leo Famulari To: Tobias Geerinckx-Rice Subject: Re: Public guix offload server Message-ID: References: <878rynh0yq.fsf@systemreboot.net> <87cznz74l5.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AXfQTZc/0nm8atKo" Content-Disposition: inline In-Reply-To: <87cznz74l5.fsf@nckx> Received-SPF: pass client-ip=66.111.4.27; envelope-from=leo@famulari.name; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634770586; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=kDG1DAiNM1A9uj4WZKRp10DcV76KMEKrKIldkJBj0Gk=; b=NXsPT+RzByLLesmHOcpO2gbMM4vrH4EVvuBG1ckn2liWIeX6TZ/tE31v6jp7uHqVP7ljRj zJGo9DeZ/lt6ac/z9SChfW/VY2CXPvxq+p2N8/aZdo4rMMOZlvWeGrlLfNTdN0IzPOZmhm SnVpvAOAJQkoH/3OJwgCmaoeUSuoPrTpmO8Nec1v28oLu4xqegg9oohu4o4XKY7FmnwVgi sGV7pUAN4xZDwLlNY6FSvGCSY4lgKiD/2mEMOs9WdzZV3Gbg2FOO36pliFltAj64W9WIj1 WntlWwbrMo1lxE4QdBC9+CvInI12wzhyexcfyz9lRrR6yNelkZelBWMta4FtGQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634770586; a=rsa-sha256; cv=none; b=ojEn8Si+skfGh0pptabJ2q4QWId1+DL6dGFPc5VxxlsUh4fMohMC1fMTd1c6rqXHcatEIs DLA4rGNg23sjCKSMS+Nq7/LWgLMxRnPnsMQ5e6SpfP1XDN58Qw9wbRNVL3H93y8Fh7D56f nIUZQIEP1GQrFkljCX7rxWZYriQcdhL0tOMoPeu51dwu9w9QWGWDhyEEmgoc8cHIQYGiLE YOB4hgzhCHXie+tr2YVfyHwWaA4qfiPZF4FCR0g/mli8b9t/z7D55Rotypfi1FVjXsovHJ hbLrfIHzFKuNtc+E+RXQ6JPHRMDu8vMlByEWoX89YC4RCMq/PmY63AvaL3LW/Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=y+T67Do6; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=CjVfAfGV; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.53 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=y+T67Do6; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=CjVfAfGV; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 3F384269D4 X-Spam-Score: -3.53 X-Migadu-Scanner: scn0.migadu.com X-TUID: lvl9LSJodnRL --AXfQTZc/0nm8atKo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Oct 20, 2021 at 11:06:05PM +0200, Tobias Geerinckx-Rice wrote: > Guix is not content-addressed. Any [compromised] user can upload arbitrary > malicious binaries with store hashes identical to the legitimate build. > These malicious binaries can then be downloaded by other clients, which > presumably all have commit access. Interesting... I'm not at all familiar with how `guix offload` works, because I've never used it. But it's surprising to me that this would be possible. Although after one minute of thought, I'm not sure why it wouldn't be. However, the Guix security model trusts committers implicitly. So, if the committers' shared offload server had proper access control, one might consider it "good enough" in terms of security. Although the possibility of spreading malicious binaries is much scarier than what could be achieved by committing to guix.git, because of the relative lack of transparency. --AXfQTZc/0nm8atKo Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmFwnhAACgkQJkb6MLrK fwguVw//VmJx0URr/TjBKMUwCrM8rtZtzc5MlMD5lc3SNcoEWNvKhknB9DIeaEKB QMWUXu3HxZjsaLu/ijroMHZpwerYt9fVxBLd3/lYi3pI9P3YpUpnCQmSmMI33BvR yzIKzAUUSmxD8+dzAnDtjbrG5rl9pe6hqJ0vdA/Y20HlC5oTSPA4Nk6dSy75Zt5J lfr/e3co+ox1nZgm62ZWG7egsIwFDnmuyzybeVU7vb6ihk3YmYP6U3lglyWMJcUS 6XhaG94sWBfbhbfrOTc5i/ehy8E1XvsMMjlJHq+OKitr/+EPOTIQeD2HatzTqglC /rfDYVZiU/WqGLAj2L2tLQ4TcVJzdNIWIyJR49qEawF9DdFSxCqDfu4HTF8HRNi4 AEwjQ4xAd7Ta9a1QOToeNCyMukMA4uvdKqUJH3bgPnYdJ26mOD1HaLTvwONuAqvB Un37vZ7a7WW01WL80HwIqrC0nFjPjAjf/4TfShi+gjFsnbJPcU437XsERXw02PcP nL3KOiYmwrufF2O+cZkbLEdqrQsq9Ws7FjCi7cZgHCARv99hi4SDLO5/WyF1SCXR 2z1ucFNBfb9nuhTlD51x4EwvI82Bn1qJQ9fic8JFJdQdlklk0IJg9439Ee1taKED uoGbwY4AF3YAY8Wc5n/fFNapjVieUBvvb2ZN8vCy0hFfWXGmxAI= =xsaP -----END PGP SIGNATURE----- --AXfQTZc/0nm8atKo--