From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id 6AktIoQSG2a7gwEAe85BDQ:P1 (envelope-from ) for ; Sun, 14 Apr 2024 01:17:24 +0200 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id 6AktIoQSG2a7gwEAe85BDQ (envelope-from ) for ; Sun, 14 Apr 2024 01:17:24 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=t8CAxAjw; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=quarantine) header.from=protonmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1713050244; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=NSSI8vJYz6UpzW5wEy0LCpQrfMfQ3aKY/lYRFwYXFmY=; b=l5HWDOu7CTYPH3q2JSv4/+f0VNDhiuS/XvN/2dFdaIqj3aKFafAffzAtVDoZnbddUvnoXq kjCVS/p2+oTDdOAWsMF3T7iXW0izWfIGaavjs6/7noovZjWYXUJA68KzDIGazqRTJLufvr MwWkIHXQlK1GSWVg3AZ8e2LP0Ta1S6aFOzYbhpLly/pOQHhqA4o9brOapyOMk+Q4ED+y6t Ks474nOpGqHOJhJha3erfwRCXjxUt+/5TMK9IYkno0qL1eK1Q5hLYomyoiW9giGoQBkDyO baChHYoVIrORs7EQLR3OOFQNwUzrWTAosX4BBPUfQUK+SDQxQP+UX5ug1JdI0w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1713050244; a=rsa-sha256; cv=none; b=IsBEEDVS1Fye0eqMwc0B5IY9dUL74oL/B7gHpbEdBnM7AJUVaNjefBGcGSXWvBF5BDwkTc 5XGdK/MTQri/ZAGxyfGt4aJmyiO3ZxykjT92PJIwNy/MnwZKIC3EknwYmG0dfjKSw8p6bL IDgzLGtxji3wS3JiL4lni9Yg0u2dzrMzYlViPjDkK8fs6flCuAcLTLCzPSw0LN4WQNO2eO eNft0rh42xX6HAcg6jIeG45JuIQQU1z0Xq8ArQlIje+UjWtDNudPoeHXdkWAgOdsd1pnV+ Ts0W7PaMRxuDE1JGth6U5lyiLFg4Yyml5Pw8R8eOaz15GlOaiI/q8FohVkcebg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=t8CAxAjw; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=quarantine) header.from=protonmail.com Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6BE0862A61 for ; Sun, 14 Apr 2024 01:17:24 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rvmcK-0002Cw-Oq; Sat, 13 Apr 2024 19:17:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rvR2R-0007z7-JX for guix-devel@gnu.org; Fri, 12 Apr 2024 20:14:35 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rvR2P-0007ZY-5n for guix-devel@gnu.org; Fri, 12 Apr 2024 20:14:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1712967268; x=1713226468; bh=NSSI8vJYz6UpzW5wEy0LCpQrfMfQ3aKY/lYRFwYXFmY=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=t8CAxAjwwYQMbyZpFkk6P/Ds73Rtycgk/n7t26Z1g/6Q3ED7qivFposJ1Kg7Fm5ID Ff+3DdaRHtwHwAjeA+6EWysXoOicI3XDUkhQwZl+k6zF9j7vetx7sY2N71EZu2cb3Q HrfxnyjC7ZAdKXPQPI26r0nxrebWMsE+249M38BF3JsYMaCHA3APtvZbU/nxzBcW/l q6+YExWrwz7PdfiEmX2/oBP6LtStEdPoZIO0sPyQPB40X4qFt26zE7juN1ZnDY90dH NlmDus/BFuF5KcPER1PbWJh/KYvzAX8/78r3sjXR8gHcCTzLaeG+7U7GsGMboT6J86 iQcQZTGxGRSMQ== Date: Sat, 13 Apr 2024 00:14:17 +0000 To: Andreas Enge , Ekaitz Zarraga From: Skyler Ferris Cc: =?utf-8?Q?Ludovic_Court=C3=A8s?= , Attila Lendvai , Giovanni Biscuolo , Guix Devel Subject: Re: backdoor injection via release tarballs combined with binary artifacts (was Re: Backdoor in upstream xz-utils) Message-ID: In-Reply-To: References: <87ttkon4c4.fsf@protonmail.com> <8734s1mn5p.fsf@xelera.eu> <87zfu9ku4l.fsf@xelera.eu> <6e743725-26f0-669c-b088-e56c850110c8@elenq.tech> <87wmp5l3r3.fsf@gnu.org> <8076578a-bebd-0f26-6d39-f634ded290ce@elenq.tech> Feedback-ID: 40635331:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.70.40.131; envelope-from=skyvine@protonmail.com; helo=mail-40131.protonmail.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sat, 13 Apr 2024 19:17:02 -0400 X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -9.76 X-Spam-Score: -9.76 X-Migadu-Queue-Id: 6BE0862A61 X-Migadu-Scanner: mx13.migadu.com X-TUID: YPV5Ecu5v0HY Hi all, On 4/11/24 06:49, Andreas Enge wrote: > Am Thu, Apr 11, 2024 at 02:56:24PM +0200 schrieb Ekaitz Zarraga: >> I think it's just better to >> obtain the exact same code that is easy to find > The exact same code as what? Actually I often wonder when looking for > a project and end up with a Github repository how I could distinguish > the "original" from its clones in a VCS. With the signature by the > known (this may also be a wrong assumption, admittedly) maintainer > there is at least some form of assurance of origin. I think this assumption deserves a lot more scrutiny than it typically=20 gets (this is a general statement not particular to your message; even=20 the tails project gets this part of security wrong and they are=20 generally diligent in their efforts). I find it difficult to download=20 PGP keys with any degree of confidence. Often, I see a file with a=20 signature and a key served by the same web page, all coming from the=20 same server. PGP keys are only useful if the attacker compromised the=20 information that the user is receiving from the web page (for example,=20 by gaining control of the web server or compromising the HTTPS session).=20 In the typical scenario I have encountered, the attacker would also=20 replace the key and signature with ones that they generated themself. In short, I'm not sure that we actually get any value from checking the=20 PGP signature for most projects. Either HTTPS is good enough or the=20 attacker won. 99% of the time HTTPS is good enough (though it is notable=20 that the remaining 1% has a disproportionate impact on the affected=20 population). Some caveats: It's difficult for me to use web of trust effectively because I haven't=20 met anyone who uses PGP keys IRL. I'm ultimately trusting my internet=20 connection and servers which are either semi-centralized (there are not=20 that many open keyservers, it's an oligopoly for lack of a better term)=20 or have the problem described above. So maybe everyone else is using web=20 of trust effectively and I don't know what I'm talking about. =3D) The key download could be compared to the "trust on first use" model=20 that SSH uses. It's not clear to me how effective a simple text box=20 saying "we rotated our keys so you need to re-download it!" would be,=20 but I suspect that most people would download without a second thought.=20 It might be interesting to add public keys and signature locations to=20 package definitions and have Guix re-verify the signature when it=20 downloads the source. This would provide more scrutiny when keys are=20 rotated (because of the review process) and would prevent harm from the=20 situation where the package author is re-downloading the key each time=20 the software is updated. The review process also adds a significant layer of protection because=20 an attacker would need to compromise the HTTPS session of the reviewer=20 in addition to the original package author (assuming that the signature=20 is re-checked by the reviewer; I'm not sure how often this happens in=20 practice). In principle it should be difficult for an attacker to=20 predict who will be reviewing which issue. However, if the pool of=20 reviewers is small it would be easier for the attacker to predict this=20 or just compromise all of the reviewers. Also, if there was some way for=20 the attacker to launch a general attack on people working out of the=20 Guix repository then the value of this protection becomes negligible. The above two paragraphs are somewhat at odds: if Guix has the public=20 key baked in and knows where to download the signature, some reviewers=20 might not double-check the key that they get from the website because=20 Guix is doing it for them. On one hand, I generally think that=20 automating security makes it worse because once it's automated there's a=20 system of rules for attackers to manipulate. On the other hand, if we=20 assume people aren't doing the things they need to then no amount of=20 technical support will give us a secure system. How much is reasonable=20 to expect of people? From my extremely biased perspective, it's=20 difficult to say. >> and everybody is reading. > This is a steep claim! I agree that nobody reads generated files in > a release tarball, but I am not sure how many other files are actually > read. > > Andreas I would guess that the level of the protection is strongly correlated=20 with the popularity of the project among developers who need to add=20 features or fix bugs. I don't think anybody reads a source repository=20 "cover to cover", but we rummage around in the code on an as-needed=20 basis. It would probably be difficult to sneak something into core=20 projects like glibc or gcc, but pretty easy to sneak something into=20 "emojis-but-cooler.js". It would be better to have comprehensive audits=20 of all the projects, but that's not something Guix can manage by itself.=20 It could make it easier to free up resources for that task, but I digress. While it is hyperbolic to say that "with enough eyes, all bugs are=20 shallow" there is a kernel of truth to it. There's a reason they hid the=20 noticeably malicious macros in the release tarball. In solidarity, Skyler