GNU bug report logs

#22883 Trustable "guix pull"

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #228 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 4 Jun 2020 09:55:14 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Jun 04 05:55:14 2020
Received: from localhost ([127.0.0.1]:45172 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jgmaf-0004EQ-GA
	for submit@debbugs.gnu.org; Thu, 04 Jun 2020 05:55:13 -0400
Received: from eggs.gnu.org ([209.51.188.92]:46120)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1jgmad-0004EE-Jw
 for 22883@debbugs.gnu.org; Thu, 04 Jun 2020 05:55:11 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:57647)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1jgmaY-00068Y-9I; Thu, 04 Jun 2020 05:55:06 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=44756 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1jgmaW-0003mS-Er; Thu, 04 Jun 2020 05:55:04 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: zimoun <zimon.toutoune@gmail.com>
Subject: Re: bug#22883: Channel introductions
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
 <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
 <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org>
 <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net>
 <87fth4bj6y.fsf@gnu.org> <87bln9oupo.fsf@gnu.org>
 <87wo5vfuxi.fsf@gnu.org> <87o8qjekt7.fsf@gnu.org>
 <87v9kanalz.fsf_-_@gnu.org>
 <CAJ3okZ197ip5HG8P66tVhtNiTcxBv63yfWk7LMeYy=A-Vx2d-Q@mail.gmail.com>
 <875zc8pjfu.fsf@gnu.org>
 <CAJ3okZ2DXeh-FzCj5t_+aVmfe9jsyN6araq0nnPOq_ZMbpp5TA@mail.gmail.com>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 17 Prairial an 228 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Thu, 04 Jun 2020 11:55:02 +0200
In-Reply-To: <CAJ3okZ2DXeh-FzCj5t_+aVmfe9jsyN6araq0nnPOq_ZMbpp5TA@mail.gmail.com>
 (zimoun's message of "Wed, 3 Jun 2020 18:20:32 +0200")
Message-ID: <87lfl3dukp.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 22883
Cc: 22883@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

> On Wed, 3 Jun 2020 at 11:50, Ludovic Courtès <ludo@gnu.org> wrote:
>> zimoun <zimon.toutoune@gmail.com> skribis:
>> > On Mon, 1 Jun 2020 at 16:08, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> >>      If that information were stored in ‘.guix-channel’, it would be
>> >>      trivial for an attacker to fork the project (or push a new commit)
>> >>      and pretend the authentication process must not take previous
>> >>      commits into account.
>> >
>> > What will happen to recursive '.guix-channel'?  The '.guix-channel' of
>> > channel A contains the reference to the channel B where the
>> > '.guix-channel' contains the reference to the channel C, etc.
>>
>> I’m not sure I understand.  (The sentence above is about *not* storing
>> info in ‘.guix-channel’.)
>
> Sorry, I have misread.
> The question about recursive still applies. ;-)
> Currently, if the local channel file points to a channel A which
> contains the file '.guix-channel' which points to another channel B,
> then when one runs "guix pull" well the channel A will be pulled and
> then the channel B, even if this channel B is not explicit in the
> initial local channel.  (Even, there is bug about recursive implicit
> pulls, see http://issues.guix.gnu.org/issue/41069; well another
> story.)
>
> What happens for such situation?

Nothing special, I guess: each channel would be authenticated (or not,
if it’s an unsigned channel).  I think it’s completely orthogonal.

>> >>   4. When publishing a fork of a channel, one emits a new channel
>> >>      introduction.  Users switching to the fork have to explicitly allow
>> >>      that new channel via its introduction; flipping the URL won’t be
>> >>      enough because ‘guix pull’ would report unauthorized commits.
>> >
>> > I am a bit afraid by this... and I hope that a fork of a channel will
>> > still work without emitting a new channel introduction.
>>
>> No, when publishing a fork of an authenticated channel, you’ll have to
>> publish its introduction alongside its URL.
>
> I do not understand your two answers.  Well, there is 4 situations
> when publishing:
>
>  1- an authenticated fork of an authenticated channel
>  2- an authenticated fork of an unauthenticated channel
>  3- an unauthenticated fork of an authenticated channel
>  4- an unauthenticated fork of an unauthenticated channel
>
> "authenticated channel" means a channel using all the authentication machinery.
> "authenticated fork" means add a "channel introduction" and so become
> a "authenticate channel" then.

I’m sorry, I don’t follow the terminology.

> Today, we are in the situation 4. and we are going to the 1.  if I
> understand correctly.
> And if I understand your answer above about good ol' channel, the 4.
> will still work and emit a warning, isn't it?
> What about the 2. and 3.?
>
> These situations correspond to:
>
> 1- the correct way
> 2- bootstrap the trust
> 3- and 4- quick and dirty "Scientific" workflows where the security is
> not a concern.

Funny how “scientific” has become synonymous with “quick-and-dirty”
these days…

[…]

> Genuine commits and outdated mirrors are separated questions, IMHO.
>
>
>> Since there’s no way to answer the question “is this the latest commit?”
>> in a general way, the best we can do, I think, is to detect whether
>> we’re talking to the “official” Git repo.
>
> What does "official" mean here?  To me, it means commits that I trust,
> i.e., approved by an authority.  My local clone is not less "official"
> than the repo on Savannah.
>
> I do not understand why the question “is this the latest commit?” has
> to be answered.  If an user wants the latest commits, then they
> directly pulls from upstream, i.e, from Savannah.  If an user wants to
> pull from a mirror for whatever reasons, then they knows that the last
> updates are not necessary there, since it is a mirror and not upstream
> -- and it is the responsibility of the mirror maintainer to keep it
> up-to-date.  However, what the user wants to know is whether the
> mirror has not introduced malicious commits.

Guix is a software supply tool.  There are two important security
questions a software supply client must address: “am I getting the
authentic stuff?”, and “am I getting the latest stuff?”.  The first one
is obvious, the second one relates to “downgrade attacks” which can
introduce known security vulnerabilities.

Things like The Update Framework (TUF) address both, but they do that in
a context that’s technically “like Debian” (binary distro) and very
different from Guix.

Yet, these two issues must also be addressed in Guix, like in any other
distro.

What we’ve been discussing here addresses the first question.  For the
second question, the best answer I came up with is that of an “official
URL”, allowing users to know the URL that should give them the latest
stuff.

“Official” means that it genuinely comes from the organization I
entrusted with my computer, be it the Guix project, another organization
maintaining a Guix fork, or an organization maintaining a Guix channel.

I hope that makes sense.

Thanks,
Ludo’.




Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:34:51 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.