GNU bug report logs

#52555 [RFC PATCH 0/3] Decentralized substitute distribution with ERIS

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #133 received at 52555@debbugs.gnu.org (full text, mbox, reply):

Received: (at 52555) by debbugs.gnu.org; 3 Feb 2022 20:36:45 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 03 15:36:45 2022
Received: from localhost ([127.0.0.1]:58005 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nFiqT-0008Jw-2q
	for submit@debbugs.gnu.org; Thu, 03 Feb 2022 15:36:45 -0500
Received: from andre.telenet-ops.be ([195.130.132.53]:57620)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@telenet.be>) id 1nFiqQ-0008Jn-GP
 for 52555@debbugs.gnu.org; Thu, 03 Feb 2022 15:36:43 -0500
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
 by andre.telenet-ops.be with bizsmtp
 id qkcg2600A4UW6Th01kcgxL; Thu, 03 Feb 2022 21:36:40 +0100
Message-ID: <52ee517f75c66a8fd9e9823da016b5720b4d5d34.camel@telenet.be>
Subject: Re: [bug#52555] [RFC PATCH v2 0/5] Decentralized substitute
 distribution with ERIS
From: Maxime Devos <maximedevos@telenet.be>
To: pukkamustard <pukkamustard@posteo.net>
Date: Thu, 03 Feb 2022 21:36:34 +0100
In-Reply-To: <86bkzph5ux.fsf@posteo.net>
References: <20211216161724.547-1-pukkamustard@posteo.net>
 <20220125192201.7582-1-pukkamustard@posteo.net>
 <73b50ffdca94407ef9fd7ef4875985a3b1c3c568.camel@telenet.be>
 <86bkzph5ux.fsf@posteo.net>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-fiDAbmrU5Ni16CfzabJE"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1643920601; bh=1TgKkaZUhhBFFz9KXPG4sUQoFXPGqrPg900RPI+GIoA=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=UapWoWWerxjPtgeUMjPYvhyHkasv/Lw1/pSmm0BVf4igxlSWbVdyf7wkszFCu7Fwz
 4dChT3aSCd+RWdYQfTvHMhpKq757ywg6PKyjIZiHDzNlItxR+iGk49Mc5roF3ozL2i
 d1ZZNrk3TVfKeHTPjkmENeWFrQOsAJK5QDdwSpONEGyM8rp7l1wgpXEQgbehUjyv6X
 e/Enl+MmVpn+9nD5n8cLDVc1obYEk3z5ZUgGRhZ18ktE/Kw6B/Nm3q2IaCbCRiYekn
 9ExJZHJsExbSrR0S+3yGF6fZTL/iXiDA8vqYXIEKtEyZJQy3Ab461V+HVdVcU8WJrz
 nrxElbk9bz2lw==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 52555
Cc: ~pukkamustard/eris@lists.sr.ht, 52555@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
pukkamustard schreef op wo 02-02-2022 om 11:10 [+0000]:
> The ERIS URN is only used if the entire narinfo is signed with a
> authorized signature.

Perhaps I'm missing something here, but in that case, shouldn't "ERIS"
be added to %mandatory-fields in (guix narinfo)?

Anyway, I don't see what prevents an unauthorised narinfo with a ERIS
URN to be used: the narinfo is chosen with

  (define narinfo
    (lookup-narinfo cache-urls store-item
                    (if (%allow-unauthenticated-substitutes?)
                        (const #t)
                        (cut valid-narinfo? <> acl))))

where lookup-narinfo is a tiny wrapper around lookup-narinfos/diverse.
lookup-narinfos/diverse considers both unauthorised and authorised
narinfos, and can choose an unauthorised narinfo if it's ‘equivalent’
to an authorised narinfo (using equivalent-narinfo?)

equivalent-narinfo? only looks at the hash, path, references and size,
and ignores the ERIS.  As such, an unauthorised narinfo with a
malicious ERIS URN could be selected.

However, it turns out that all this doesn't really matter: whether the
port returned by 'fetch' in (guix scripts substitute) came from
file://, http://, https:// or ERIS, the file hash is verified later
anyway:

                  ;; Compute the actual nar hash as we read it.
                  ((algorithm expected)
                   (narinfo-hash-algorithm+value narinfo))
                  ((hashed get-hash)
                   (open-hash-input-port algorithm input)))

      [...]

      ;; Check whether we got the data announced in NARINFO.
      (let ((actual (get-hash)))
        (if (bytevector=? actual expected)
            [...]

False alarm I guess!

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Mon Sep 8 11:52:58 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.