GNU bug report logs

#22883 Trustable "guix pull"

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #192 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 1 May 2020 16:51:02 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri May 01 12:51:02 2020
Received: from localhost ([127.0.0.1]:50534 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jUYsP-0006kc-R3
	for submit@debbugs.gnu.org; Fri, 01 May 2020 12:51:02 -0400
Received: from eggs.gnu.org ([209.51.188.92]:51336)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1jUYsO-0006kH-Cp
 for 22883@debbugs.gnu.org; Fri, 01 May 2020 12:51:00 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59578)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1jUYsI-0004Vr-69; Fri, 01 May 2020 12:50:54 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41126 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1jUYsH-0001V1-LX; Fri, 01 May 2020 12:50:54 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: Justus Winter <justus@sequoia-pgp.org>
Subject: Re: bug#22883: Authenticating a Git checkout
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
 <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org>
 <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net>
 <87fth4bj6y.fsf@gnu.org> <87bln9oupo.fsf@gnu.org>
 <87sggjpsit.fsf@europa.jade-hamburg.de>
Date: Fri, 01 May 2020 18:50:51 +0200
In-Reply-To: <87sggjpsit.fsf@europa.jade-hamburg.de> (Justus Winter's message
 of "Fri, 01 May 2020 17:46:34 +0200")
Message-ID: <87pnbnha50.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 22883
Cc: Ricardo Wurmus <rekado@elephly.net>, 22883@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Justus,

Justus Winter <justus@sequoia-pgp.org> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> Signature verification in (guix openpgp) does just that: signature
>> verification.  It does not validate signature and key metadata, in
>> particular expiration date.  I guess it should at least error out when a
>> signature creation time is newer than its key expiration time.
>
> Indeed.  I skimmed both the original and the adapted code, and it
> notably does no attempt to canonicalize the certificates in the keyring
> (i.e. checking binding signatures, lifetimes, revocations, (sub)key
> flags...).  While that is a bit dangerous, it is okay for a point
> solution for Guix, provided that this is properly documented and
> communicated.
>
> One can forgo canonicalization if one assumes that the keyring is
> curated, and one has a good-list of (sub)keys fingerprints that are
> allowed to create signatures.  Reading git-authentiate.scm that does
> seem to be the case.

Yeah, the (guix openpgp) module is good enough for this narrow use case,
but I agree that people shouldn’t view it as a viable signature-only
OpenPGP implementation in the general case.

I’ll clarify this at least in the source file.

> (I bet that certificate canonicalization is the major reason why calling
> out to gpgv is so slow:  it does that every time, and it involves
> signature verification, which is slow (yes, I'm looking at you, RSA).)

I see.

>> It should also reject SHA1 signatures, at least optionally (I haven’t
>> checked whether our Git history has any of these).
>
> I believe it should.  For reference, we reject SHA1 signatures for
> signatures created since 2013.

Sounds good, I’ll do that.

>> Next steps:
>>
>>   • Clean up the (guix openpgp) API a bit, for instance by using proper
>>     SRFI-35 error conditions.  Perhaps handle v5 packets too.
>
> Don't bother with v5 packets for now.  The RFC is nowhere near
> completion, and even if it is one day, it will be quite some time until
> you see these packets in the wild.

Alright, even better.

Thanks for taking the time to look into it!

Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:23:18 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.