GNU bug report logs

#52555 [RFC PATCH 0/3] Decentralized substitute distribution with ERIS

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #136 received at 52555@debbugs.gnu.org (full text, mbox, reply):

Received: (at 52555) by debbugs.gnu.org; 4 Feb 2022 10:46:09 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 04 05:46:09 2022
Received: from localhost ([127.0.0.1]:58847 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nFw6T-0007R2-IO
	for submit@debbugs.gnu.org; Fri, 04 Feb 2022 05:46:09 -0500
Received: from mout02.posteo.de ([185.67.36.66]:45099)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pukkamustard@posteo.net>) id 1nFw6R-0007QE-DJ
 for 52555@debbugs.gnu.org; Fri, 04 Feb 2022 05:46:08 -0500
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 1602F240101
 for <52555@debbugs.gnu.org>; Fri,  4 Feb 2022 11:46:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1643971561; bh=X6buIRvbJu84QfIOpDjucqmsl2Df+cPh49PLjEf/h8Q=;
 h=From:To:Cc:Subject:Date:From;
 b=Sgn52/2sfBTItDhIxtTaDjvLmowRqT4DG21+dTkLfwRgB4ebwuNP+K/IVXeVaQqy1
 hj7+M1oXN9QPI4jwXlL6hr6JqVmtyv4VKcMjwpcoKUskXaCAzPBH//Mv9Gu6hHVq0m
 u4Jq/1Kb4t+nFwnaA62MyuCCMHoDtFDgS79W7xepqELyJ5d5ETwmB47A80gcgyqiTa
 5voI21KlMZscrw7AJ7fUJq3+yLgQg2kTnWqLAdd0icvbRwZVb8G+N1YWrkz6R+0AbK
 KqeE0QejHAo/9g9g771JazZoyxxUI4lw8yKHXNnluk6XxXOg3MNmoemSSpsneJ+FOz
 Fg/7TzmqvQfxg==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Jqsdg09b1z6tpX;
 Fri,  4 Feb 2022 11:45:58 +0100 (CET)
References: <20211216161724.547-1-pukkamustard@posteo.net>
 <20220125192201.7582-1-pukkamustard@posteo.net>
 <73b50ffdca94407ef9fd7ef4875985a3b1c3c568.camel@telenet.be>
 <86bkzph5ux.fsf@posteo.net>
 <52ee517f75c66a8fd9e9823da016b5720b4d5d34.camel@telenet.be>
From: pukkamustard <pukkamustard@posteo.net>
To: Maxime Devos <maximedevos@telenet.be>
Subject: Re: [bug#52555] [RFC PATCH v2 0/5] Decentralized substitute
 distribution with ERIS
Date: Fri, 04 Feb 2022 10:20:18 +0000
In-reply-to: <52ee517f75c66a8fd9e9823da016b5720b4d5d34.camel@telenet.be>
Message-ID: <86tudeyknu.fsf@posteo.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 52555
Cc: ~pukkamustard/eris@lists.sr.ht, 52555@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Maxime Devos <maximedevos@telenet.be> writes:

> pukkamustard schreef op wo 02-02-2022 om 11:10 [+0000]:
>> The ERIS URN is only used if the entire narinfo is signed with a
>> authorized signature.
>
> Perhaps I'm missing something here, but in that case, shouldn't "ERIS"
> be added to %mandatory-fields in (guix narinfo)?
>
> Anyway, I don't see what prevents an unauthorised narinfo with a ERIS
> URN to be used: the narinfo is chosen with
>
>   (define narinfo
>     (lookup-narinfo cache-urls store-item
>                     (if (%allow-unauthenticated-substitutes?)
>                         (const #t)
>                         (cut valid-narinfo? <> acl))))
>
> where lookup-narinfo is a tiny wrapper around lookup-narinfos/diverse.
> lookup-narinfos/diverse considers both unauthorised and authorised
> narinfos, and can choose an unauthorised narinfo if it's ‘equivalent’
> to an authorised narinfo (using equivalent-narinfo?)
>
> equivalent-narinfo? only looks at the hash, path, references and size,
> and ignores the ERIS.  As such, an unauthorised narinfo with a
> malicious ERIS URN could be selected.

You're right. I was not aware that parts of unauthorized narinfos are
used when they are deemed equavelent to authorized narinfos with
equivalent-narinfo?.

>
> However, it turns out that all this doesn't really matter: whether the
> port returned by 'fetch' in (guix scripts substitute) came from
> file://, http://, https:// or ERIS, the file hash is verified later
> anyway:
>
>                   ;; Compute the actual nar hash as we read it.
>                   ((algorithm expected)
>                    (narinfo-hash-algorithm+value narinfo))
>                   ((hashed get-hash)
>                    (open-hash-input-port algorithm input)))
>
>       [...]
>
>       ;; Check whether we got the data announced in NARINFO.
>       (let ((actual (get-hash)))
>         (if (bytevector=? actual expected)
>             [...]
>
> False alarm I guess!

Yeah, good that the hash is checked. Still, I think we should not even
try downloading a ERIS URN that is not authorized.

I think adding a check to equivalent-narinfo? that makes sure that the
ERIS URNs are equivalent if present would fix this. wdyt?

-pukkamustard

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Mon Sep 8 07:17:51 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.