From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 21 Jun 2017 06:19:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 27437@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.14980259408102 (code B ref -1); Wed, 21 Jun 2017 06:19:01 +0000 Received: (at submit) by debbugs.gnu.org; 21 Jun 2017 06:19:00 +0000 Received: from localhost ([127.0.0.1]:58747 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNYyf-00026Y-G0 for submit@debbugs.gnu.org; Wed, 21 Jun 2017 02:19:00 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41524) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNYyc-00026J-Kw for submit@debbugs.gnu.org; Wed, 21 Jun 2017 02:18:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNYyW-0003rk-BX for submit@debbugs.gnu.org; Wed, 21 Jun 2017 02:18:49 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42680) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dNYyW-0003rR-7i for submit@debbugs.gnu.org; Wed, 21 Jun 2017 02:18:48 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60721) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNYyS-0005Yi-Eg for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNYyO-0003na-18 for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:44 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:41001) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dNYyN-0003lv-Mv for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:39 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B748020ACC; Wed, 21 Jun 2017 02:18:34 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Wed, 21 Jun 2017 02:18:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=BnO WQ2xHcsiJ0ajHxAKUDA8D5k+E3cziOb/dJKTRTtU=; b=Wsh34tPe17AVrryw3Rw cXoPu3Ei8lop0i9LRBtn318QltZIEejMwQUGdI7jTuDwcsf3QeUVPeyyPd6eE9V4 fx9V+4VGL8v+IwtgKmGsZAyYT9+Nn+g9PKu5id0npepsTy0M8a/9gDUjPhIDUaex lwycFsu/jBLzUjCYxcRYFo5M= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=BnOWQ2xHcsiJ0ajHxAKUDA8D5k+E3cziOb/dJKTRT tU=; b=XnZERmIdfoPFzTOMxxqVEHbhzE3Ukpc0RueW3NrvcEhGqrYd+H+uOJxFX Y0tOhHRB6pOTfVt3m+j/5G3bRQFFDk11YYJy3QXLH8rQ8oveScbFEzhnIc57ubM/ HEQOztYZ0tMhEZWo//dfU9Eq7JFDWniTYBz0DN6lB7uLY6bate/GOuGtoavFUjO1 A7VrwNhPB7lvkF+V6f+UmDCqobF9LgfHMPJ7u0PxONpNKfKo2uP53wD70KR0+fDq kVxMLVwQCny8ibetjaaAJ6n+pRSngNbYdZiIXe5Yi8pHyQaBC71bWSuicHRLRi28 SZDcN+sB/Pii7tFajh1ZnQ1vbTAJg== X-ME-Sender: X-Sasl-enc: CtQ/iHGWDXqaLkJrgPjyAzGKyMxz2mVwkXJGE7eyti7X 1498025914 Received: from localhost (unknown [172.56.28.59]) by mail.messagingengine.com (Postfix) with ESMTPA id 6CD882466C for ; Wed, 21 Jun 2017 02:18:34 -0400 (EDT) Date: Wed, 21 Jun 2017 02:17:52 -0400 From: Leo Famulari Message-ID: <20170621061752.GA32412@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --/04w6evG8XlLl3ft Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable While working on some package updates, I found that the source code downloader will accept an X.509 certificate for an incorrect site. Here is what happens: ------ $ ./pre-inst-env guix build -S opus-tools --check @ build-started /gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.= 10.tar.gz.drv - x86_64-linux /var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym01z= g7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2 =20 Starting download of /gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-tools= -0.1.10.tar.gz =46rom https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz... =E2=80=A6.1.10.tar.gz 305KiB 822KiB/s 00:00 [###############= #####] 100.0% warning: rewriting hashes in `/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-o= pus-tools-0.1.10.tar.gz'; cross fingers /gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz ------ Here is an example of what I think should happen in this case: ------ $ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz curl: (51) SSL: certificate subject name (osuosl.org) does not match target= host name 'downloads.xiph.org' ------ And this is what Firefox says: ------ downloads.xiph.org uses an invalid security certificate. The certificate is only valid for the following names: osuosl.org, *.osuosl.org =20 Error code: SSL_ERROR_BAD_CERT_DOMAIN ------ --/04w6evG8XlLl3ft Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllKD40ACgkQJkb6MLrK fwi3AxAAy3CP9JTnWDNktV5M0dVzG86s1VJWOJcQ1m3K9Cm6aKvDI3MzeBGW0fQw IWsfT0UUbAmQeSAQeYxkNWciu6k1RfUqYKkIh06YS5UySimK6jPhnNInhcHd/sdM upXvG0s+k8ToUzcTlt1dzB7KLmQ/qcfGpMAI6ccYn4HIx8LVH8QbN0vnpcNAUtYC 2tZPCHeq6noFiKQmTZ6OX7kK3HBidMBQUnGOZT/Ben/ADMToO05T2L/0n3Xed0JW rxjXvzOEa4eiGg/klQdgkwDkBWs3Xim7PCRZGFQASt8rMiyx7bDD8xe3SKK5/3be sWEUzsDiostoRN4SrNhRhFpQLpy5Mvuzcw9JRfuTCgNTTIK0qUVp5M2iJhBAgSfX EA+LKpnu5OwtR/5E/ijQlR5R+H56hs0QEs778BiUt2Ki/lvY8egGfHoqvEUzXh/l EYeuw+OsUgkuJ41yxQvMAyM3dHn/ZlUh0iG/3KsLAZvxVpl5jVq+EIX/8uzK7Wfv Y7Z9NS3nJuab3ez4ckUPWPQt92STh9uhYTJJhJqOqxPuzlt001IoJkSMmHEdaRdL KfJHQ5J7s8Rg7RH2QbkSKeLLqvAOLRcd+p3FyBG9LF7IKOvD2Q8Sltw0++uMQStn eHQePm+CfN1CmkCljlTCA3sKflbBYEAJppO3J5kioSTLmDrk0EY= =iOdX -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 21 Jun 2017 10:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari Cc: 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.14980422326743 (code B ref 27437); Wed, 21 Jun 2017 10:51:01 +0000 Received: (at 27437) by debbugs.gnu.org; 21 Jun 2017 10:50:32 +0000 Received: from localhost ([127.0.0.1]:58900 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNdDT-0001kh-Og for submit@debbugs.gnu.org; Wed, 21 Jun 2017 06:50:32 -0400 Received: from eggs.gnu.org ([208.118.235.92]:44823) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNdDS-0001kU-7F for 27437@debbugs.gnu.org; Wed, 21 Jun 2017 06:50:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNdDI-0003NU-5y for 27437@debbugs.gnu.org; Wed, 21 Jun 2017 06:50:24 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:54512) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNdDI-0003NM-2D; Wed, 21 Jun 2017 06:50:20 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:60988 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dNdDH-0000I4-36; Wed, 21 Jun 2017 06:50:19 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170621061752.GA32412@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 3 Messidor an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Wed, 21 Jun 2017 12:50:15 +0200 In-Reply-To: <20170621061752.GA32412@jasmine.lan> (Leo Famulari's message of "Wed, 21 Jun 2017 02:17:52 -0400") Message-ID: <87lgolipi0.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi, Leo Famulari skribis: > While working on some package updates, I found that the source code > downloader will accept an X.509 certificate for an incorrect site. > > Here is what happens: > > ------ > $ ./pre-inst-env guix build -S opus-tools --check > @ build-started /gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.= 1.10.tar.gz.drv - x86_64-linux /var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym0= 1zg7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2 >=20=20 > Starting download of /gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-too= ls-0.1.10.tar.gz > From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz... > =E2=80=A6.1.10.tar.gz 305KiB 822KiB/s 00:00 [#############= #######] 100.0% > warning: rewriting hashes in `/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h= -opus-tools-0.1.10.tar.gz'; cross fingers > /gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz > ------ > > Here is an example of what I think should happen in this case: > > ------ > $ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz > curl: (51) SSL: certificate subject name (osuosl.org) does not match targ= et host name 'downloads.xiph.org' > ------ Also: --8<---------------cut here---------------start------------->8--- $ guix download https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.= tar.gz Starting download of /tmp/guix-file.vjPVRk >From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz... ERROR: X.509 server certificate for 'downloads.xiph.org' does not match: C= =3DUS,postalCode=3D97331,ST=3DOR,L=3DCorvallis,street=3DOregon State Univer= sity,street=3DKerr Admin Building,O=3DOregon State University,OU=3DOSU OSL,= CN=3Dosuosl.org failed to download "/tmp/guix-file.vjPVRk" from "https://downloads.xiph.org= /releases/opus/opus-tools-0.1.10.tar.gz" guix download: error: https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz: download= failed --8<---------------cut here---------------end--------------->8--- The behavior of the source download is on purpose as noted in (guix download): ;; No need to validate certificates since we know the ;; hash of the expected result. #:verify-certificate? #f))))) IOW, since we=E2=80=99re checking the integrity of the tarball anyway, and = we assume developers checked its authenticity when writing the recipe, then who cares whether downloads.xiph.org has a valid certificate? Conversely, =E2=80=98guix download=E2=80=99 always checks certificates by d= efault. Does it make sense? Ludo=E2=80=99. From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 04:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.149810455417993 (code B ref 27437); Thu, 22 Jun 2017 04:10:02 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 04:09:14 +0000 Received: from localhost ([127.0.0.1]:60500 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNtQc-0004g6-L0 for submit@debbugs.gnu.org; Thu, 22 Jun 2017 00:09:14 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:49111) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNtQW-0004fs-Vl for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 00:09:09 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 60AA420B99; Thu, 22 Jun 2017 00:09:04 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 22 Jun 2017 00:09:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=oe8d2gFC+RrXJRRetT2Ezz2uFLyNP1B07c/rM/ lKljY=; b=LZ02FKKYJFdCOYsDXfmysRc5Js7bbTUaTTf81bcxM7ZfnlERaWS8/n P2RSaicSRwjGW+Gxmx8e6nxh4I4MsHQZIcpk7g1Cr/x10zADB7mhC7C6t/WBJSZt /sYICqW+an66Kp0/1c9cwMGPIMi1mCxE3Fofl34bQq9h8RCsXNlSg= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=oe8d2gFC+RrXJRRetT 2Ezz2uFLyNP1B07c/rM/lKljY=; b=pExDpUM2vHq4//90V2F3d2leSctitu0A3J dVq8x9KWblcxm0GRBDNHhf3lr9kA/CW3HNREQnnlSkYKA9s07CIHPPR7V4d4SKbM g/iQVR2sqfrlkHR5f0SstMkCxa9O3nvtt84IFyEkYxchfbA0Tqz6ckMNnYu2NB6P Zt/yhdnxngW4P27htCNb2dxHG+TO/L8g/StoMUdOWeESViAOr7zdfKnETeLilw/Y Lpu1NcF+W0aGC4pqOp/rDrclsXuhPF2+SmW8Biqp6FvP0ewluE4n0EJwYtoGThVH zcVw07k0CCjJPJO8i81l3KFsYd+79ArKflF5ZImcWSopH/eJatAw== X-ME-Sender: X-Sasl-enc: Av1gUwnomPPJg6P9sCHztmWHQvXWT19lbay6By+ZESQ1 1498104544 Received: from localhost (unknown [172.56.28.134]) by mail.messagingengine.com (Postfix) with ESMTPA id 13323245EF; Thu, 22 Jun 2017 00:09:04 -0400 (EDT) Date: Thu, 22 Jun 2017 00:09:01 -0400 From: Leo Famulari Message-ID: <20170622040901.GA8700@jasmine.lan> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline In-Reply-To: <87lgolipi0.fsf@gnu.org> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -1.7 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Court=C3=A8s wrote: > Leo Famulari skribis: > > While working on some package updates, I found that the source code > > downloader will accept an X.509 certificate for an incorrect site. [...] > IOW, since we=E2=80=99re checking the integrity of the tarball anyway, an= d we > assume developers checked its authenticity when writing the recipe, then > who cares whether downloads.xiph.org has a valid certificate? >=20 > Does it make sense? Yeah, I think it makes sense if checking the certificates would add too much complexity for what I think is a minor benefit: protecting against exploitation of bugs by MITM (but not xiph.org) in whatever code runs after the connection is initiated and before the hash is calculated. Perhaps a MITM could send a huge file and fill up the disk or something like that. Closing the bug, but more thoughts are welcome! --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllLQtoACgkQJkb6MLrK fwhMyxAApxsRED537lydYJgSiFpK3TVENAoDDZB0fouwVJWdANOIrS5KM6yJiJg7 vKa3i+avqIWizndZd3qE9eyYDOV78FO6l2pI2Q4XejYMDHlMx/XH+TM9XWGSb8mC EfUV3f7JIeq6EJlfbLEk0y3Hv9ZrnMQynhWNtul1HVZKxa+xCw8sgJ/pIGVaCzsI zDtfvpD0cwPW8Fd8v0jZDed95sxwqtManSRElTbXyrP4diKnoPbC39xRKLXdLAg5 0YSBs710qZi2G6GInLYlPm/bqJqDd7//IEsAMyRfgsN1YOKe2uUVkJqpuPj0TitH 1WRyV9Gs0UJNyqJKB4m79jG39UTFwHjPZHXAezb+9xVmatUFzUfkRbmwJYG8GpQy OHcacB+GsH6CoVQ5heKpNVdD5rX/01709Ml7BFL5NAkz7k7Bh4HeKAjlGlucV2Jk QHwvJzOlgs3nbron+CRz6VcXp/iB8p54YsWeR3noFcEteSlDAQP8IZwuM9W5Obaj JH2cbzHoKys1spcHmLRjlGj+Z4IXPcny1wrRu3VNFhdc/y0qM5GA+GR1erejdC5q cg0ulF9uubojBikpMmkRVbVX0A2x56azsLXntIma2RCSDiq/aJcyF7LaIMoQLSJ+ mGwg2vt3Sd5ijwq+ZhnTEKTDFqu4N5uoMVF7M+VrJd9FZaarl8Y= =+guX -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 07:58:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari Cc: 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.14981182615996 (code B ref 27437); Thu, 22 Jun 2017 07:58:02 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 07:57:41 +0000 Received: from localhost ([127.0.0.1]:60568 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNwzk-0001Yd-UY for submit@debbugs.gnu.org; Thu, 22 Jun 2017 03:57:41 -0400 Received: from eggs.gnu.org ([208.118.235.92]:49174) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNwzj-0001YQ-1m for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 03:57:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNwzZ-0000Zy-HB for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 03:57:33 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:40837) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNwzZ-0000Zu-DS; Thu, 22 Jun 2017 03:57:29 -0400 Received: from [193.50.110.160] (port=46948 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dNwzX-00042g-5C; Thu, 22 Jun 2017 03:57:28 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <20170622040901.GA8700@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 4 Messidor an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Thu, 22 Jun 2017 09:57:23 +0200 In-Reply-To: <20170622040901.GA8700@jasmine.lan> (Leo Famulari's message of "Thu, 22 Jun 2017 00:09:01 -0400") Message-ID: <87zid0qwt8.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Court=C3=A8s wrote: >> Leo Famulari skribis: >> > While working on some package updates, I found that the source code >> > downloader will accept an X.509 certificate for an incorrect site. > > [...] > >> IOW, since we=E2=80=99re checking the integrity of the tarball anyway, a= nd we >> assume developers checked its authenticity when writing the recipe, then >> who cares whether downloads.xiph.org has a valid certificate? >>=20 >> Does it make sense? > > Yeah, I think it makes sense if checking the certificates would add too > much complexity for what I think is a minor benefit: protecting against > exploitation of bugs by MITM (but not xiph.org) in whatever code runs > after the connection is initiated and before the hash is calculated. > > Perhaps a MITM could send a huge file and fill up the disk or something > like that. I=E2=80=99m generally in favor of relying on X.509 certificates as little as possible, and in this case, while I agree that it could protect us against the scenario you describe, I think it=E2=80=99s a bit of a stretch. However, we=E2=80=99d very likely have bug reports of people for which down= loads fail because of various issues in the X.509 infrastructure and/or in how the they set up their system (=E2=80=98nss-certs=E2=80=99 uninstalled or to= o old, SSL_CERT_DIR unset, etc.) Thoughts? Thanks, Ludo=E2=80=99. From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 15:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Cc: 27437@debbugs.gnu.org, Leo Famulari Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.149814564228943 (code B ref 27437); Thu, 22 Jun 2017 15:35:01 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 15:34:02 +0000 Received: from localhost ([127.0.0.1]:33333 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO47L-0007WR-3d for submit@debbugs.gnu.org; Thu, 22 Jun 2017 11:34:02 -0400 Received: from world.peace.net ([50.252.239.5]:45996) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO47G-0007W9-PA for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 11:33:58 -0400 Received: from pool-72-93-34-106.bstnma.east.verizon.net ([72.93.34.106] helo=jojen) by world.peace.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1dO3yF-0003Mu-KB; Thu, 22 Jun 2017 11:24:35 -0400 From: Mark H Weaver References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> Date: Thu, 22 Jun 2017 11:33:31 -0400 In-Reply-To: <87lgolipi0.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Wed, 21 Jun 2017 12:50:15 +0200") Message-ID: <87injohwac.fsf@netris.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) ludo@gnu.org (Ludovic Court=C3=A8s) writes: > The behavior of the source download is on purpose as noted in (guix > download): > > ;; No need to validate certificates since we know = the > ;; hash of the expected result. > #:verify-certificate? #f))))) > > IOW, since we=E2=80=99re checking the integrity of the tarball anyway, an= d we > assume developers checked its authenticity when writing the recipe, then > who cares whether downloads.xiph.org has a valid certificate? > > Conversely, =E2=80=98guix download=E2=80=99 always checks certificates by= default. > > Does it make sense? Yes, and I agree with this behavior. However, it should be noted that this will reduce the security of a bad practice that I suspect is sometimes used by people when updating packages, namely to update the version number, try building it, and then copy the hash from the error message to the package. FWIW, I always check digital signatures when they're available, and I hope that others will as well, but in practice we are putting our faith in a large number of contributors, some of whom might not be so careful. Also, sadly, many packages are distributed without digital signatures at all. One glaring example is NSS. Mark From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 16:12:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.149814787932398 (code B ref 27437); Thu, 22 Jun 2017 16:12:01 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 16:11:19 +0000 Received: from localhost ([127.0.0.1]:33342 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO4hQ-0008QQ-3P for submit@debbugs.gnu.org; Thu, 22 Jun 2017 12:11:19 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:46625) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO4hL-0008QF-CU for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 12:11:15 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D8E0120834; Thu, 22 Jun 2017 12:11:10 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 22 Jun 2017 12:11:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=jU82w2PvhGusIY+Kr4HE5RFKbKwiV2qG4m48JQ 44V40=; b=0qXhCmEPNiEeqIXviy+Dn3/DpnmNPmfNJ4q6L2ZWDMvwXSrb9Vs1OH W5EISHGm6CczsLm4LNJcE7Tdd6sKI0J7hf79oVq+dyw/fNVdx+0XtjBsI6iGffJF KzH+gq8LkIGua3mguu7HkMnpgMk/orVVIPZFt418T6zjfGcUWK65Y= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=jU82w2PvhGusIY+Kr4 HE5RFKbKwiV2qG4m48JQ44V40=; b=KIryz38qsjPmccPDv5wb8roiO52XV7+aCa C1LPbR9bv65gl/t5NGHodab6ESlz55snccwg5OSiXJQylyg5wx1C0VvIfaxDA2Hi MKYGMoNeZ4/ywAHNaSIUbxTuIqPsbTxd9PkOV2MXAl4Btrlva3NS/9jGuipH7wPM tY0I26lA+W8fJdeEvMw1RyICPiuPhXCynOIWgLakTuiLVYqhQXWkGGgSz5mD3GRF TFKHDclkZld84HFvKDwuAztHWvZaL6NVsZRxUFE5hraK0hkw8+5hYfz8UOGPahgQ 8s9HJZqJgOF1Or/tVlGtOqorGQQIO3/9Yz98SFE8RLPOWtcljI0g== X-ME-Sender: X-Sasl-enc: FilbVTEVBqxcCHZI/woUh+5nnJ77hOF4bCJLmRiX6X1n 1498147870 Received: from localhost (unknown [128.64.129.7]) by mail.messagingengine.com (Postfix) with ESMTPA id 9DFAD7E755; Thu, 22 Jun 2017 12:11:10 -0400 (EDT) Date: Thu, 22 Jun 2017 12:11:08 -0400 From: Leo Famulari Message-ID: <20170622161108.GA15580@jasmine.lan> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <87injohwac.fsf@netris.org> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > > IOW, since we=E2=80=99re checking the integrity of the tarball anyway, = and we > > assume developers checked its authenticity when writing the recipe, then > > who cares whether downloads.xiph.org has a valid certificate? > > > > Conversely, =E2=80=98guix download=E2=80=99 always checks certificates = by default. > > > > Does it make sense? >=20 > Yes, and I agree with this behavior. However, it should be noted that > this will reduce the security of a bad practice that I suspect is > sometimes used by people when updating packages, namely to update the > version number, try building it, and then copy the hash from the error > message to the package. Yeah, that's a bad habit and I warn people against it whenever it comes up :/ > FWIW, I always check digital signatures when they're available, and I > hope that others will as well, but in practice we are putting our faith > in a large number of contributors, some of whom might not be so careful. >=20 > Also, sadly, many packages are distributed without digital signatures at > all. One glaring example is NSS. Do we have any contacts at Mozilla we can talk to about this? I imagine it's a long shot, with many bureaucratic hurdles, but it's worth asking for. --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllL7BkACgkQJkb6MLrK fwhVbQ/9GY29rXJkWg3XgcDso7vjSp4J2wfooB1b2572z0oqkE4Q+N9gs2ApdI8D iLY206weA+PZakOVJ2oA4LMa/n1yU0S3hoZvOJkExPfhN81Oe7DcxflOCYRZeA8j uVsZRTjfm4dvoIUxKCleekOa2lvvYf04UbXbWHjbfP03L+LPxsvuNWJ7J7YLZtxF LM9GnF0J549HjTuRnmkmDo7gnmRY1FwucycNSKeGwnzx8EmjAsd5bJK96HQ94bhS fm1UiREyssSDsa5LOW+fKSGgu9FNDrPKwv8A9OezUUDTUAiQNB05ho0trCCPlkPv 1903UJ5Uy/dY7liTdTngkfJib7sxhdc3zX6hI47WjpNc60EzY2L01my1sO2sYG9J /G1iL/1tRyKtVSI1hZ/Csyvvfhwbv83aYnDLRj7/r+7wWv8uiLbJQX3Zlq1pkYXK ed+iThWPlU8oM8z0cI4ZZxq4SEPBfgqjZ7xmKahrAA/zjMx3wJ3Py3ngfZH82YZ0 Dp6zFDRR968LtcEsDvMILM8spzubaCy/lcJHhTvDNMuNFjp7Uq5fXMLUI6eUomDo MoTM6w9tRqkzYAb1BtBhjiyXwyzLHled0zsREZgzow3qy+mJy3P70vJBQGH+N/Wu Bw4aUDyLNLz2sWSbmLzKip4dmbOczZ1LTvPj20sbhXeb1f+j72Q= =PMC0 -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 16:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.1498148173441 (code B ref 27437); Thu, 22 Jun 2017 16:17:02 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 16:16:13 +0000 Received: from localhost ([127.0.0.1]:33356 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO4mD-000073-IC for submit@debbugs.gnu.org; Thu, 22 Jun 2017 12:16:13 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:41205) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO4mC-00006t-5T for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 12:16:12 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 0776120648; Thu, 22 Jun 2017 12:16:12 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 22 Jun 2017 12:16:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=lYXdUkDFf8e7Md04ff4piaKBv6FLni9cq0Fd5p 8r7Tc=; b=zqW7zcplMDmZYWzw3A9+hz/smzbNIsCuJvvR71F/tmInW7plvlogdI kCglw9O0h/rx7L0Nj9K5dHnqRn0Tg07Udmp+UxHedqwxjuyGVGA4draNEtp7Grak G+h/B5LaCYDWhL634RUGNAcEEtiQhV6sYAW7x42NOXCbHNuf5iN64= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=lYXdUkDFf8e7Md04ff 4piaKBv6FLni9cq0Fd5p8r7Tc=; b=gLlRa3852aGhJlqEwjhnj50YExIFsmyu3t X9QwDjo1byspwBVEGDe51jvlMU9m9KypHifw0BQdiE/bw6SEg5y3YqLSwH0lDBBX Yu0be6dzC0OaVV8whopScvfunNrQC/9hzEvKMKfkUXgYp/jGyqnDjqUXq23aME89 4uk4Vv4ZHlWnkMSdRwqL3BsuKY9RTz3WLLkIoOny4Udl0LNFvoc8ikuWH0+tVLPI BW9Rq2BR2kXA1XezpBlANIArb8AFWwMgEuNBKc95tdpL7+JRDi9v0FJPAAo5BqN5 qT5lWsjOQwZpcAvqeEML1jiA4iswiRUkIYmjJ/A7V7e+Od8+o0SQ== X-ME-Sender: X-Sasl-enc: OJzzV9nlyfPp4et1hAPS09NZCQgr0vnnrM0I1ULyVoLl 1498148171 Received: from localhost (unknown [128.64.129.7]) by mail.messagingengine.com (Postfix) with ESMTPA id BC4657E6B1; Thu, 22 Jun 2017 12:16:11 -0400 (EDT) Date: Thu, 22 Jun 2017 12:16:09 -0400 From: Leo Famulari Message-ID: <20170622161609.GB15580@jasmine.lan> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <20170622040901.GA8700@jasmine.lan> <87zid0qwt8.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="zx4FCpZtqtKETZ7O" Content-Disposition: inline In-Reply-To: <87zid0qwt8.fsf@gnu.org> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --zx4FCpZtqtKETZ7O Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 22, 2017 at 09:57:23AM +0200, Ludovic Court=C3=A8s wrote: > > Perhaps a MITM could send a huge file and fill up the disk or something > > like that. >=20 > I=E2=80=99m generally in favor of relying on X.509 certificates as little= as > possible, and in this case, while I agree that it could protect us > against the scenario you describe, I think it=E2=80=99s a bit of a stretc= h. Agreed, the X.509 PKI is really brittle, and so I think our current choice is reaosnable. It's different for `guix pull` because we don't use the full PKI, we control most of the code involved, and we have a good relationship with the Savannah admins. Of course, we should eventually improve `guix pull` to verify code signatures instead. > However, we=E2=80=99d very likely have bug reports of people for which do= wnloads > fail because of various issues in the X.509 infrastructure and/or in how > the they set up their system (=E2=80=98nss-certs=E2=80=99 uninstalled or = too old, > SSL_CERT_DIR unset, etc.) Indeed, that would be super-annoying. --zx4FCpZtqtKETZ7O Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllL7UkACgkQJkb6MLrK fwi/uxAAyoxzlrxsh2JOmdy+3UZdizAv9bHJ1xH3qq1ceOahqLmXF8Ov1JphDK4U EPJr5OALP+0M2tRjW6XOms1QsfqG6POOgSKLu7oJs/KlAilbgPSdu86YwuTNLdsA zVbJPuTORVG1mLEvQ1xe9wid+EmIldsZnwckDIK1o5w96oxdseyQFnGZC7kAZ5G8 KjzlK+NWI0uqSv8Y3Ldi3mCvbHnEVabPiqZmZJIxZdma2rswrZ4D1kSG/9THsaz/ wnvjEv5JLjYvIZtieJX3Np6ysuD8cN6Jra02uwbPe2OOpWJeEcjLXd1Z/odSK7Z5 GwRewNZBhljx5cYH6xMmCFjSOgMfXzRI1cKFtGyOM9jJU34j8dZ533vppVsJaZA7 jicaKRNDLAFFDLixmXaI8Hh/HpY8/ai9Lcla2C3XuapW4u0qMdxx+vHZfLO1cQ6G RICblMN++HfTQgqh+9878GUFLAjYFfDjjx/hv78IxMBvXt//cdhtZYO2sTx4nc46 7QmLt7DGqbKA8nIiRxYxQ04gXwZPcIzgLfbm98aORQ5evCacB50ol0iLC6qEC/ED CiZb7ONLuSoFnV63Dm5HerOe/mugQoSm4A2NKJDx8xR2KlG9yU8jnoofrysAC2Nh nIkLkoIgLCwFsWY2IInsLhFzYKcdvokhM7pu3OYL5kV1h0nRuTA= =ua55 -----END PGP SIGNATURE----- --zx4FCpZtqtKETZ7O-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 19:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari Cc: Mark H Weaver , 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.149815876715698 (code B ref 27437); Thu, 22 Jun 2017 19:13:02 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 19:12:47 +0000 Received: from localhost ([127.0.0.1]:33464 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO7Wy-000451-VG for submit@debbugs.gnu.org; Thu, 22 Jun 2017 15:12:47 -0400 Received: from eggs.gnu.org ([208.118.235.92]:40672) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO7Wx-00044p-Nv for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 15:12:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dO7Wo-0003dm-OL for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 15:12:34 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:49936) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dO7Wo-0003di-KZ; Thu, 22 Jun 2017 15:12:30 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:36528 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dO7Wn-00060h-HC; Thu, 22 Jun 2017 15:12:30 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <20170622161108.GA15580@jasmine.lan> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 4 Messidor an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Thu, 22 Jun 2017 21:12:27 +0200 In-Reply-To: <20170622161108.GA15580@jasmine.lan> (Leo Famulari's message of "Thu, 22 Jun 2017 12:11:08 -0400") Message-ID: <87wp83rg4k.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: >> ludo@gnu.org (Ludovic Court=C3=A8s) writes: >> > IOW, since we=E2=80=99re checking the integrity of the tarball anyway,= and we >> > assume developers checked its authenticity when writing the recipe, th= en >> > who cares whether downloads.xiph.org has a valid certificate? >> > >> > Conversely, =E2=80=98guix download=E2=80=99 always checks certificates= by default. >> > >> > Does it make sense? >>=20 >> Yes, and I agree with this behavior. However, it should be noted that >> this will reduce the security of a bad practice that I suspect is >> sometimes used by people when updating packages, namely to update the >> version number, try building it, and then copy the hash from the error >> message to the package. > > Yeah, that's a bad habit and I warn people against it whenever it comes > up :/ Agreed. That said, if we look at our updaters: --8<---------------cut here---------------start------------->8--- $ guix refresh --list-updaters=20 Available updaters: - cpan: Updater for CPAN packages (9.2% coverage) - cran: Updater for CRAN packages (4.0% coverage) - bioconductor: Updater for Bioconductor packages (1.2% coverage) - crates: Updater for crates.io packages (.0% coverage) - elpa: Updater for ELPA packages (.3% coverage) - gem: Updater for RubyGem packages (2.5% coverage) - github: Updater for GitHub packages (10.5% coverage) - hackage: Updater for Hackage packages (5.2% coverage) - pypi: Updater for PyPI packages (17.6% coverage) - stackage: Updater for Stackage LTS packages (5.2% coverage) - kernel.org: Updater for packages hosted on kernel.org (.5% coverage) - gnome: Updater for GNOME packages (2.9% coverage) - xorg: Updater for X.org packages (3.2% coverage) - gnu: Updater for GNU packages (5.6% coverage) - kde: Updater for KDE packages (1.3% coverage) 69.0% of the packages are covered by these updaters. --8<---------------cut here---------------end--------------->8--- I think only GNU and kernel.org provide signatures, which represents 6% of our packages. Of the 30% that do not have an updater, surely some have digital signatures, but we=E2=80=99re probably still below 10%. The situation is bad in general=E2=80=A6 Ludo=E2=80=99. From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: ng0 Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 21:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari Cc: Mark H Weaver , 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.14981670857105 (code B ref 27437); Thu, 22 Jun 2017 21:32:02 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 21:31:25 +0000 Received: from localhost ([127.0.0.1]:33609 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO9hB-0001nR-GG for submit@debbugs.gnu.org; Thu, 22 Jun 2017 17:31:24 -0400 Received: from aibo.runbox.com ([91.220.196.211]:40362) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO9h7-0001is-0o for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 17:31:20 -0400 Received: from [10.9.9.211] (helo=mailfront11.runbox.com) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1dO9h2-0003vV-2t; Thu, 22 Jun 2017 23:31:12 +0200 Received: from this-is-a-tor-exit-node---keywebtor1.artikel5ev.de ([87.118.116.90] helo=localhost) by mailfront11.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1dO9gV-0000hu-LV; Thu, 22 Jun 2017 23:30:40 +0200 Date: Thu, 22 Jun 2017 21:30:36 +0000 From: ng0 Message-ID: <20170622213036.kvcwug7l3xf5yyhu@abyayala> Mail-Followup-To: Leo Famulari , Mark H Weaver , 27437@debbugs.gnu.org References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <20170622161108.GA15580@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="hs7gxfkayjfw2mje" Content-Disposition: inline In-Reply-To: <20170622161108.GA15580@jasmine.lan> X-Spam-Score: -1.7 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --hs7gxfkayjfw2mje Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Leo Famulari transcribed 2.4K bytes: > On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: > > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > > > IOW, since we=E2=80=99re checking the integrity of the tarball anyway= , and we > > > assume developers checked its authenticity when writing the recipe, t= hen > > > who cares whether downloads.xiph.org has a valid certificate? > > > > > > Conversely, =E2=80=98guix download=E2=80=99 always checks certificate= s by default. > > > > > > Does it make sense? > >=20 > > Yes, and I agree with this behavior. However, it should be noted that > > this will reduce the security of a bad practice that I suspect is > > sometimes used by people when updating packages, namely to update the > > version number, try building it, and then copy the hash from the error > > message to the package. >=20 > Yeah, that's a bad habit and I warn people against it whenever it comes > up :/ >=20 > > FWIW, I always check digital signatures when they're available, and I > > hope that others will as well, but in practice we are putting our faith > > in a large number of contributors, some of whom might not be so careful. > >=20 > > Also, sadly, many packages are distributed without digital signatures at > > all. One glaring example is NSS. >=20 > Do we have any contacts at Mozilla we can talk to about this? I imagine > it's a long shot, with many bureaucratic hurdles, but it's worth asking > for. One way is their bugtracker. Does anyone of us have an Account at their bugzilla? If it can't be discussed via bugzilla, there must be some mailinglist for the nss development. --=20 ng0 OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://krosos.org/~/ng0/ https://www.infotropique.org --hs7gxfkayjfw2mje Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAllMNvwACgkQ4i+bv+40 hYjdOA/+J9Hwgkasn6qg0+SlrzOn20tKGcUjWvSPX3lW6N5F7Kz4wSN61ClQ9eiV uhAqJB5ld9Brfy5c0gUbbV1XwRpd5sf7ygZjqdv2nlOpVmX+g83+N/tBdKyX17cJ yGLPAMAVVE+q5ipw+800GLIcBtiITTuc6bTxbQLnSFG0M9OaqHASaX/DiC9UkC4w c8Lrhy6Thqfcj8BoSOvTlJKZj0Ksjs/Qg9lQbng82QS8XBXJ0+l0mIGOsmyGT9hl aiBsK3ioEujPQALplKg4cGFXNP261pJxUte48b5EQoowyWTAMkMQDWONsC6wzbCq e53REmfQTWOpwExJsavJ3jXuKO6CszeKibdcixCjuiQBGUmp2Q0hNUCrVtPLqC/m MVmBvz0/SNTF09MHRucZ1AE/LYYHTNVbI/u81l7FYHFqSiXg3qYPk1WI4hUnXEe6 W3t9vw193SKhG/WxHfZyv0Z/grzmSGeKI+WWAQppAILtTccWqX3iZeauZkQTOWEh LzexlOnHs659tpHEVTp1RIFi4rflgRumBLHSfDs+yQfNhHv10nvq2HWt9esDSJbu B9T0GlQtMIBDNAsH4A695IIB0grK87agVn/EASSNqWFmUkQwM58USgyr1VRfp5hI YATkeVsIL70gxjYOLgXfxxDHJvI6U5H0XvxsRIDklMte7JTmjdU= =RgmJ -----END PGP SIGNATURE----- --hs7gxfkayjfw2mje-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Ricardo Wurmus Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 21:46:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.149816793810992 (code B ref 27437); Thu, 22 Jun 2017 21:46:02 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 21:45:38 +0000 Received: from localhost ([127.0.0.1]:33617 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO9v0-0002rD-Cb for submit@debbugs.gnu.org; Thu, 22 Jun 2017 17:45:38 -0400 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21022) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dO9ux-0002r4-Ro for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 17:45:36 -0400 Received: from localhost (port-92-200-28-64.dynamic.qsc.de [92.200.28.64]) by mx.zohomail.com with SMTPS id 1498167930672679.7398088409859; Thu, 22 Jun 2017 14:45:30 -0700 (PDT) References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> User-agent: mu4e 0.9.18; emacs 25.2.1 From: Ricardo Wurmus In-reply-to: <87injohwac.fsf@netris.org> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Thu, 22 Jun 2017 23:45:26 +0200 Message-ID: <87o9tf1ytl.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-ZohoMailClient: External X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Mark H Weaver writes: > FWIW, I always check digital signatures when they're available, and I > hope that others will as well, but in practice we are putting our faith > in a large number of contributors, some of whom might not be so careful. I do the same when signatures are available. I couldn’t find this recommendation in “contributing.texi” — should we add it there? -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 22 Jun 2017 22:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ricardo Wurmus , Mark H Weaver Cc: 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.149817072715002 (code B ref 27437); Thu, 22 Jun 2017 22:33:02 +0000 Received: (at 27437) by debbugs.gnu.org; 22 Jun 2017 22:32:07 +0000 Received: from localhost ([127.0.0.1]:33631 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOAdz-0003tu-Hm for submit@debbugs.gnu.org; Thu, 22 Jun 2017 18:32:07 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:39501) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOAdy-0003tm-2m for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 18:32:06 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 9088C208A9; Thu, 22 Jun 2017 18:32:05 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Thu, 22 Jun 2017 18:32:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=rM9GXT5DEUO4ldEqvSmdxF77u66MQh5boxLUx8zD+ tg=; b=eSxxk3eDm98g3dNs40Z9m74sbbDZMTzy9Dv9NIiQzRpljSGja6TeFsaqG qgOWh1SWIZWGwf4ZG4jZ4/KY3H6D+hOJ3Rafls4X14FkAXNEuVm1G2Wz5gQ4bcgW KGxeeUljiipj5kRUGogJXJsMUdKh6/VAcy0DddMQcLxA5nDcNkJHBeFMgDkOEuLp OQ7h7cF5aKpqgTg5zH0b1oZSEwOYzTXZ7k9AZS78ze0W5RgUg0WaNYH3Rwl99QDm SSeV1G6g3LiMxODFNrz3z5adls0bypEIn1yKZSf/nI4G9IyNuwhfOEfl6It6si8B p6VBuU8lHmR1s7jXwxWrYNMYnI3vA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=rM9GXT5DEUO4ldEqvS mdxF77u66MQh5boxLUx8zD+tg=; b=NO0NfPeOXcfxEQb4kvx60xM7KuJslJFaNz 1rD5X39vDzTCwfbUPbKjM3J23L5OJtaCCKWl9myTWFpkYe668JWQC5AC8AYaANir dLYXN2GKJYDvA9cactUtl33+15yVahdMSmAWWzLxxuVZtMz+nu7GrMVuCu/Ru9pJ IZKWMJD1Xqiw5HNRvaWVD4XqfX92pV6Z3D5M+vzWe/MHQByCuNyi3r2oOggouoN0 3SRxyOT9LNR/nOY/8AotUe3bg1U3x5fHmGR8YUlX58fcox5ONEWa+1v1pcHsOPwS VwMNCa+JS1lCMHnbyfAn7Br1U2H1NBHFm+2Nl1qHVTqnmt5mpC3Q== X-ME-Sender: X-Sasl-enc: jYPiFHM79n3vG9yy1M5vKvoSzdnRSpSSqyUxapdsoWak 1498170725 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 20D987E76A; Thu, 22 Jun 2017 18:32:05 -0400 (EDT) From: Marius Bakke In-Reply-To: <87o9tf1ytl.fsf@elephly.net> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <87o9tf1ytl.fsf@elephly.net> User-Agent: Notmuch/0.24.2 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Fri, 23 Jun 2017 00:32:03 +0200 Message-ID: <87shirodr0.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ricardo Wurmus writes: > Mark H Weaver writes: > >> FWIW, I always check digital signatures when they're available, and I >> hope that others will as well, but in practice we are putting our faith >> in a large number of contributors, some of whom might not be so careful. > > I do the same when signatures are available. I couldn=E2=80=99t find this > recommendation in =E2=80=9Ccontributing.texi=E2=80=9D =E2=80=94 should we= add it there? I think so. Many contributors won't have used GnuPG before downloading Guix and may not remember how/why when it's time to package something. There are a fair amount of PyPi packages that are signed, I've been meaning to make the updater aware of it. See scipy, numpy and friends. Wouldn't mind if someone beats me to it! As far as NSS goes, releases are announced at their "dev-tech-crypto" mailing list[0], but the announcements are not signed either (nor do they contain hashes). The only authenticity they provide is the TLS connection to ftp.mozilla.org[1]. Anyone up for drafting an email to the list? [0] https://lists.mozilla.org/listinfo/dev-tech-crypto [1] SHA256 fingerprint (valid until 2020): 3B:9F:F6:DC:11:F8:96:B1:62:60:3D:29:36:0B:E6:4E:69:F8:34:E9:B3:7A:05:7A:5B:= 84:CD:54:E5:8E:7C:8B --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAllMRWMACgkQoqBt8qM6 VPpuvggA03QL1i5cdcVebiDtIo91xLrvsqSG+oz9U0JHT7SRnLquPJ4253DnM1NC yx9o4wpyJR5zzjrC1PfnkzWiqYOcncjulULhnj04uDyXrHJpFNkUzoAVBnEB8ZRX 0ey1MaHdjVAcmo+9fSrPyqfYbd8iJrd7ALz3j/Gi2OKLLPoIMgRDLDLKpLZ0mh5k WU/yQS64fV8EKWRqDEwObHlzMKhVfAZUZjB3rUwlkRTF2QRUt3yZ6iOT0eLYOuW1 I4yYZBO40arGaV6TXB9g6g8iL5Tw0XJFMpgKD7sai/51+nWWH8fnnkwrSt83PLE9 tnpn+js8t9RFvGSHM1teUN1m5SNyFw== =5EBb -----END PGP SIGNATURE----- --=-=-=-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Mike Gerwitz Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 23 Jun 2017 00:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Cc: 27437@debbugs.gnu.org, Leo Famulari Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.149817879926539 (code B ref 27437); Fri, 23 Jun 2017 00:47:02 +0000 Received: (at 27437) by debbugs.gnu.org; 23 Jun 2017 00:46:39 +0000 Received: from localhost ([127.0.0.1]:33695 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOCkB-0006tz-Ky for submit@debbugs.gnu.org; Thu, 22 Jun 2017 20:46:39 -0400 Received: from eggs.gnu.org ([208.118.235.92]:36920) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOCkA-0006tl-AB for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 20:46:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dOCk4-0004JO-BU for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 20:46:33 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:53246) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dOCk1-0004IV-DC; Thu, 22 Jun 2017 20:46:29 -0400 Received: from localhost ([::1]:49568 helo=mikegerwitz-pc.gerwitz.local) by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1dOCk0-0007Xb-P4; Thu, 22 Jun 2017 20:46:29 -0400 From: Mike Gerwitz In-Reply-To: <87wp83rg4k.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 22 Jun 2017 21:12:27 +0200") Date: Thu, 22 Jun 2017 20:45:42 -0400 Message-ID: <87y3sj7cqx.fsf@gnu.org> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <20170622161108.GA15580@jasmine.lan> <87wp83rg4k.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) OpenPGP: id=22175B02E626BC98D7C0C2E5F22BB8158EE30EAB MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Thu, Jun 22, 2017 at 21:12:27 +0200, Ludovic Court=C3=A8s wrote: > I think only GNU and kernel.org provide signatures, which represents 6% > of our packages. Of the 30% that do not have an updater, surely some > have digital signatures, but we=E2=80=99re probably still below 10%. The > situation is bad in general=E2=80=A6 What about signed tags/commits? =2D-=20 Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJZTGS2AAoJEIyRe39dxRuiQIgQAL8qV5TUQlz8XDnSwi3VxJxR /PC1SvNmOdhCvbeimSqDPf3VnP/jGGoMYy5mXXRRUEVkF11ILONYpUppI12bDWZc um+u7scyqnKiGF2Ri0c94TD/UFhRECc1+pV+k/JwsU8i/VZb146cvhq0+9qzlUY3 tKhw5+Il6k7Hy/89HUOXSHaR/Hek4Y9iLlAQ2YyK38UHBHkK0sGvlK+lB49Vv5wt jes8Ltr5h3NrVabphD0U/oIf60IypeG5DEhOUDqOq7UKuYYnXGHe3fqTaFC5G8gz aqnUxFqrfBlgjVOZmhIm4arX3cBxIIosOJgqD9dF9enoS9D5T0aTFf7ge48PdMP8 hJgghTQsJhxZvijimMNwqApXJPxZ4LuNdvKb/1Lz63kPLLMT9ROm7m4IZdy728sC 2qcoBMHEcmxFX9q5laYkSKNWGUkGmgiMZ5BlRYz6MPS17thPtU3Jy9vmPTeuQIs+ kCiko2hM98n065WR//RbBPvzMHBqHhPZv4fdcF2Qm7xP4WrkxdVvl4hW2gI2bsp7 Kxo6nAr4NRUZafYLubc9nAjn7AlkHiONkVMzA1s2Tjew8zV6C5Y7QhyueU1h8Q6T uAOIFjSXn4ndpyKdLyopXM9VLv1D/ecyW1gEDn67UzDMTOvpWEZZzGirkjcgrOby R5xPvMS/p1Pj06YN2ox+ =yl3f -----END PGP SIGNATURE----- --=-=-=-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 23 Jun 2017 03:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ricardo Wurmus Cc: Mark H Weaver , 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.14981882467660 (code B ref 27437); Fri, 23 Jun 2017 03:25:02 +0000 Received: (at 27437) by debbugs.gnu.org; 23 Jun 2017 03:24:06 +0000 Received: from localhost ([127.0.0.1]:33740 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOFCX-0001zU-NR for submit@debbugs.gnu.org; Thu, 22 Jun 2017 23:24:05 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:37505) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOFCW-0001zM-8Z for 27437@debbugs.gnu.org; Thu, 22 Jun 2017 23:24:04 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id CFB3620BE3; Thu, 22 Jun 2017 23:24:03 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 22 Jun 2017 23:24:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=lXrwbZkNUBgzzslKNLAZQksJHrN7WSmYyMhWcN iHnos=; b=MrI6uz10H7ZyKUCONNBx+XsijVu13gDC+mivpWsVZ8MzAJGVUnAyK2 Z1S8l8uYOh6WeWxf0Bh3VHGcfNyXqzlqmrQ+xhte1WleVikZYLfCAkMOq5E0YCRF Q+PmX0uIiwOUuAWtBoPE20cAmzYE33ypyTCIsq05K6Lh+XUXef+Cg= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=lXrwbZkNUBgzzslKNL AZQksJHrN7WSmYyMhWcNiHnos=; b=mhwsiUk1NWjy1SxsMqZosHzdd1ON/WH4g7 NUKGpZ+HB4Y8XbAWbYcMD3EMwFUzRepkbHnz9VNqo0ESl89oLNRELler1AbThVqs N/iicc6bkkSWW7eudmpFLTu6VcNOZ4oStD7Qu5C7FX3s8a7Uma6MN7Rfc0P2668x 0c8SeRlXV1zyFx4TD9w1EA6gAHkRhw18RFQ89pbTmWc+XAzhPY4WdcSFoXWq/foq 2mYfmGNIEo8l45OuukqFtCVaaXRyAfrU8Hhy6uNhVDex/vzPx/OQ1CKJwboy4qwL HenBsdlUeES+Lq90OJZ1/G3+ZJDzKxDKhXTonRiY902V4Yusv+2w== X-ME-Sender: X-Sasl-enc: x30LHVCD9H6BexT7q3mwNML5VxvzDQUpIGIdPpGWClBN 1498188243 Received: from localhost (me25a36d0.tmodns.net [208.54.90.226]) by mail.messagingengine.com (Postfix) with ESMTPA id 852997E1FA; Thu, 22 Jun 2017 23:24:03 -0400 (EDT) Date: Thu, 22 Jun 2017 23:24:01 -0400 From: Leo Famulari Message-ID: <20170623032401.GA13366@jasmine.lan> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <87o9tf1ytl.fsf@elephly.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline In-Reply-To: <87o9tf1ytl.fsf@elephly.net> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 22, 2017 at 11:45:26PM +0200, Ricardo Wurmus wrote: >=20 > Mark H Weaver writes: >=20 > > FWIW, I always check digital signatures when they're available, and I > > hope that others will as well, but in practice we are putting our faith > > in a large number of contributors, some of whom might not be so careful. >=20 > I do the same when signatures are available. I couldn=E2=80=99t find this > recommendation in =E2=80=9Ccontributing.texi=E2=80=9D =E2=80=94 should we= add it there? To me, it seems that the manual section Packaging Guidelines is a better fit. But, we tend to recommend people read Contributing, but rarely do I see Packaging Guidelines recommended. I suppose it's assumed they will find it themselves. --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllMic4ACgkQJkb6MLrK fwhqQg//aFTPTnUeTD97IokGgPLjZJUphNMtrldYHqmlRPwgZWV8Vfucg/k2cE8/ I3KJkfbI5m4wjI+hAgHsTvbRLQq1gtJPe6UmGI71FeNq+Zv7NSAdDAl8xqqYd13x cNBne/SJs1wCl+QtP7bYB9M1MmCXa7hIwk9Zu5T3MtXwY3Rt1RDtng4youNtbXaL GgkmQTeqnsBegrNx6USMfGysILMyZaH5ZrY6uLgHHCGWnze+tvlXZbcG2VVo92JS bmGxnuZCS1ZQFqkNqreLIbu43Z8/mKdjq8PDRjuoGEI1PuvmFFyDQEjZ0FotCyer FE6jBokdCrzpA/jB4f0Umb5Ox4tdFsnQYIYGSE4IrAkXi3kLl0DuMAQ69t2K4b02 8DPFvLGcAfEXQn5BbplpcpjTuF5X1GzZruYnQbCVQNnLbvRXUKLrxgyqjg+4cQs5 64xVcAhTAjAkzS6nVSK68WRjsufh/dnzl1rQ6OG5O+gbR6YOBtWOf6XjmzHqpKzn a9VFRodOfSz1DegfrqB760izhmZdJq/dYGxItUlQJOvfJMEmghd59RI3+MXbX4al 31JpNM+WqEWCaQd8diEd+KcnrxP/7OVI+8pvgspTOtrwnmjYOtbP+0I1e9yC5Z+7 dNkvguhH7Lmn+zWz12v7NotWTzT3BUBoA8zjbZAXH/StRFbCDZA= =xjmu -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: Ricardo Wurmus Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 23 Jun 2017 07:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari Cc: Mark H Weaver , 27437@debbugs.gnu.org Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.149820300630346 (code B ref 27437); Fri, 23 Jun 2017 07:31:02 +0000 Received: (at 27437) by debbugs.gnu.org; 23 Jun 2017 07:30:06 +0000 Received: from localhost ([127.0.0.1]:33834 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOJ2c-0007tN-0r for submit@debbugs.gnu.org; Fri, 23 Jun 2017 03:30:06 -0400 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21124) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOJ2Z-0007sn-AF for 27437@debbugs.gnu.org; Fri, 23 Jun 2017 03:30:04 -0400 Received: from localhost (x2f7ff62.dyn.telefonica.de [2.247.255.98]) by mx.zohomail.com with SMTPS id 1498202996385231.3284633295317; Fri, 23 Jun 2017 00:29:56 -0700 (PDT) References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <87o9tf1ytl.fsf@elephly.net> <20170623032401.GA13366@jasmine.lan> User-agent: mu4e 0.9.18; emacs 25.2.1 From: Ricardo Wurmus In-reply-to: <20170623032401.GA13366@jasmine.lan> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Fri, 23 Jun 2017 09:29:46 +0200 Message-ID: <87fuer9n6d.fsf@elephly.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-ZohoMailClient: External X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Leo Famulari writes: > On Thu, Jun 22, 2017 at 11:45:26PM +0200, Ricardo Wurmus wrote: >> >> Mark H Weaver writes: >> >> > FWIW, I always check digital signatures when they're available, and I >> > hope that others will as well, but in practice we are putting our faith >> > in a large number of contributors, some of whom might not be so careful. >> >> I do the same when signatures are available. I couldn’t find this >> recommendation in “contributing.texi” — should we add it there? > > To me, it seems that the manual section Packaging Guidelines is a better > fit. > > But, we tend to recommend people read Contributing, but rarely do I see > Packaging Guidelines recommended. I suppose it's assumed they will find > it themselves. “Packaging Guidelines” refers to “Contributing”. I tried to add this to “Packaging Guidelines” but couldn’t find an appropriate place, so here’s a patch that adds an item to the checklist in “Contributing”. WDYT? --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-doc-Encourage-signature-verification.patch >From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Fri, 23 Jun 2017 09:24:58 +0200 Subject: [PATCH] doc: Encourage signature verification. * doc/contributing.texi (Submitting Patches): Remind contributors to verify cryptographic signatures. --- doc/contributing.texi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/contributing.texi b/doc/contributing.texi index 925c584e4..0073f2451 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -334,6 +334,12 @@ updates for a given software package in a single place and have them affect the whole system---something that bundled copies prevent. @item +If the authors of the packaged software provide a cryptographic +signature for the release tarball, make an effort to verify the +authenticity of the archive. For a detached GPG signature file this +would be done with the @code{gpg --verify} command. + +@item Take a look at the profile reported by @command{guix size} (@pxref{Invoking guix size}). This will allow you to notice references to other packages unwillingly retained. It may also help determine -- 2.12.2 --=-=-= Content-Type: text/plain -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net --=-=-=-- From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 23 Jun 2017 09:32:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mike Gerwitz Cc: 27437@debbugs.gnu.org, Leo Famulari Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.14982103168528 (code B ref 27437); Fri, 23 Jun 2017 09:32:01 +0000 Received: (at 27437) by debbugs.gnu.org; 23 Jun 2017 09:31:56 +0000 Received: from localhost ([127.0.0.1]:33874 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOKwW-0002DU-2v for submit@debbugs.gnu.org; Fri, 23 Jun 2017 05:31:56 -0400 Received: from eggs.gnu.org ([208.118.235.92]:56092) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOKwU-0002DI-BB for 27437@debbugs.gnu.org; Fri, 23 Jun 2017 05:31:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dOKwK-0001kE-9t for 27437@debbugs.gnu.org; Fri, 23 Jun 2017 05:31:49 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60499) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dOKwK-0001kA-6y; Fri, 23 Jun 2017 05:31:44 -0400 Received: from nat-eduroam-36-gw-01-bso.bordeaux.inria.fr ([194.199.1.36]:44772 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dOKwJ-0007nd-Am; Fri, 23 Jun 2017 05:31:43 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <20170622161108.GA15580@jasmine.lan> <87wp83rg4k.fsf@gnu.org> <87y3sj7cqx.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 5 Messidor an 225 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Fri, 23 Jun 2017 11:31:40 +0200 In-Reply-To: <87y3sj7cqx.fsf@gnu.org> (Mike Gerwitz's message of "Thu, 22 Jun 2017 20:45:42 -0400") Message-ID: <87podvaw3n.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Mike Gerwitz skribis: > On Thu, Jun 22, 2017 at 21:12:27 +0200, Ludovic Court=C3=A8s wrote: >> I think only GNU and kernel.org provide signatures, which represents 6% >> of our packages. Of the 30% that do not have an updater, surely some >> have digital signatures, but we=E2=80=99re probably still below 10%. The >> situation is bad in general=E2=80=A6 > > What about signed tags/commits? They=E2=80=99re becoming more widespread, especially now that GitHub=E2=80= =99s UI can make sense of them. Nevertheless, I don=E2=80=99t think it changes the rat= io much if we look at the whole package set that we have. Ludo=E2=80=99. From unknown Tue Jun 24 05:13:29 2025 X-Loop: help-debbugs@gnu.org Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 27 Jul 2017 12:30:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27437 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ricardo Wurmus Cc: Mark H Weaver , 27437@debbugs.gnu.org, Leo Famulari Received: via spool by 27437-submit@debbugs.gnu.org id=B27437.150115859816659 (code B ref 27437); Thu, 27 Jul 2017 12:30:03 +0000 Received: (at 27437) by debbugs.gnu.org; 27 Jul 2017 12:29:58 +0000 Received: from localhost ([127.0.0.1]:58022 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dahvS-0004Kc-GT for submit@debbugs.gnu.org; Thu, 27 Jul 2017 08:29:58 -0400 Received: from eggs.gnu.org ([208.118.235.92]:34237) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dahvR-0004KM-7Z for 27437@debbugs.gnu.org; Thu, 27 Jul 2017 08:29:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dahvH-0003vI-8R for 27437@debbugs.gnu.org; Thu, 27 Jul 2017 08:29:52 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56330) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dahv1-0003lt-Sd; Thu, 27 Jul 2017 08:29:31 -0400 Received: from [193.50.110.224] (port=37462 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dahv1-0007fZ-40; Thu, 27 Jul 2017 08:29:31 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <87o9tf1ytl.fsf@elephly.net> <20170623032401.GA13366@jasmine.lan> <87fuer9n6d.fsf@elephly.net> Date: Thu, 27 Jul 2017 14:29:29 +0200 In-Reply-To: <87fuer9n6d.fsf@elephly.net> (Ricardo Wurmus's message of "Fri, 23 Jun 2017 09:29:46 +0200") Message-ID: <87k22u3vx2.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Ricardo Wurmus skribis: >>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001 > From: Ricardo Wurmus > Date: Fri, 23 Jun 2017 09:24:58 +0200 > Subject: [PATCH] doc: Encourage signature verification. > > * doc/contributing.texi (Submitting Patches): Remind contributors to veri= fy > cryptographic signatures. > --- > doc/contributing.texi | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/doc/contributing.texi b/doc/contributing.texi > index 925c584e4..0073f2451 100644 > --- a/doc/contributing.texi > +++ b/doc/contributing.texi > @@ -334,6 +334,12 @@ updates for a given software package in a single pla= ce and have them > affect the whole system---something that bundled copies prevent. >=20=20 > @item > +If the authors of the packaged software provide a cryptographic > +signature for the release tarball, make an effort to verify the > +authenticity of the archive. For a detached GPG signature file this > +would be done with the @code{gpg --verify} command. I would make it the very first item of the check list. If that=E2=80=99s fine with you, please push and maybe close the bug! Ludo=E2=80=99. From unknown Tue Jun 24 05:13:29 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#27437: closed (Re: bug#27437: Source downloader accepts X.509 certificate for incorrect domain) Message-ID: References: <87r2x165dm.fsf@elephly.net> <20170621061752.GA32412@jasmine.lan> X-Gnu-PR-Message: they-closed 27437 X-Gnu-PR-Package: guix Reply-To: 27437@debbugs.gnu.org Date: Thu, 27 Jul 2017 19:35:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1501184102-15344-1" This is a multi-part message in MIME format... ------------=_1501184102-15344-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #27437: Source downloader accepts X.509 certificate for incorrect domain which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 27437@debbugs.gnu.org. --=20 27437: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D27437 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1501184102-15344-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 27437-done) by debbugs.gnu.org; 27 Jul 2017 19:34:46 +0000 Received: from localhost ([127.0.0.1]:58944 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daoYX-0003yw-Pl for submit@debbugs.gnu.org; Thu, 27 Jul 2017 15:34:46 -0400 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21125) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daoYV-0003yn-Lq for 27437-done@debbugs.gnu.org; Thu, 27 Jul 2017 15:34:44 -0400 Received: from localhost (port-92-200-127-83.dynamic.qsc.de [92.200.127.83]) by mx.zohomail.com with SMTPS id 1501184074695709.6239460204689; Thu, 27 Jul 2017 12:34:34 -0700 (PDT) References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <87o9tf1ytl.fsf@elephly.net> <20170623032401.GA13366@jasmine.lan> <87fuer9n6d.fsf@elephly.net> <87k22u3vx2.fsf@gnu.org> User-agent: mu4e 0.9.18; emacs 25.2.1 From: Ricardo Wurmus To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#27437: Source downloader accepts X.509 certificate for incorrect domain In-reply-to: <87k22u3vx2.fsf@gnu.org> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Thu, 27 Jul 2017 21:34:29 +0200 Message-ID: <87r2x165dm.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-ZohoMailClient: External X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 27437-done Cc: Mark H Weaver , 27437-done@debbugs.gnu.org, Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Ludovic Courtès writes: > Ricardo Wurmus skribis: > >>>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001 >> From: Ricardo Wurmus >> Date: Fri, 23 Jun 2017 09:24:58 +0200 >> Subject: [PATCH] doc: Encourage signature verification. >> >> * doc/contributing.texi (Submitting Patches): Remind contributors to verify >> cryptographic signatures. >> --- >> doc/contributing.texi | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/doc/contributing.texi b/doc/contributing.texi >> index 925c584e4..0073f2451 100644 >> --- a/doc/contributing.texi >> +++ b/doc/contributing.texi >> @@ -334,6 +334,12 @@ updates for a given software package in a single place and have them >> affect the whole system---something that bundled copies prevent. >> >> @item >> +If the authors of the packaged software provide a cryptographic >> +signature for the release tarball, make an effort to verify the >> +authenticity of the archive. For a detached GPG signature file this >> +would be done with the @code{gpg --verify} command. > > I would make it the very first item of the check list. > > If that’s fine with you, please push and maybe close the bug! Looks like I’ve already pushed this a while back. I’ll move it up to the top of the list. (And I’m closing this bug.) -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ------------=_1501184102-15344-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 21 Jun 2017 06:19:00 +0000 Received: from localhost ([127.0.0.1]:58747 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNYyf-00026Y-G0 for submit@debbugs.gnu.org; Wed, 21 Jun 2017 02:19:00 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41524) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dNYyc-00026J-Kw for submit@debbugs.gnu.org; Wed, 21 Jun 2017 02:18:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNYyW-0003rk-BX for submit@debbugs.gnu.org; Wed, 21 Jun 2017 02:18:49 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42680) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dNYyW-0003rR-7i for submit@debbugs.gnu.org; Wed, 21 Jun 2017 02:18:48 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60721) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNYyS-0005Yi-Eg for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNYyO-0003na-18 for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:44 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:41001) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dNYyN-0003lv-Mv for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:39 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B748020ACC; Wed, 21 Jun 2017 02:18:34 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Wed, 21 Jun 2017 02:18:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=BnO WQ2xHcsiJ0ajHxAKUDA8D5k+E3cziOb/dJKTRTtU=; b=Wsh34tPe17AVrryw3Rw cXoPu3Ei8lop0i9LRBtn318QltZIEejMwQUGdI7jTuDwcsf3QeUVPeyyPd6eE9V4 fx9V+4VGL8v+IwtgKmGsZAyYT9+Nn+g9PKu5id0npepsTy0M8a/9gDUjPhIDUaex lwycFsu/jBLzUjCYxcRYFo5M= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=BnOWQ2xHcsiJ0ajHxAKUDA8D5k+E3cziOb/dJKTRT tU=; b=XnZERmIdfoPFzTOMxxqVEHbhzE3Ukpc0RueW3NrvcEhGqrYd+H+uOJxFX Y0tOhHRB6pOTfVt3m+j/5G3bRQFFDk11YYJy3QXLH8rQ8oveScbFEzhnIc57ubM/ HEQOztYZ0tMhEZWo//dfU9Eq7JFDWniTYBz0DN6lB7uLY6bate/GOuGtoavFUjO1 A7VrwNhPB7lvkF+V6f+UmDCqobF9LgfHMPJ7u0PxONpNKfKo2uP53wD70KR0+fDq kVxMLVwQCny8ibetjaaAJ6n+pRSngNbYdZiIXe5Yi8pHyQaBC71bWSuicHRLRi28 SZDcN+sB/Pii7tFajh1ZnQ1vbTAJg== X-ME-Sender: X-Sasl-enc: CtQ/iHGWDXqaLkJrgPjyAzGKyMxz2mVwkXJGE7eyti7X 1498025914 Received: from localhost (unknown [172.56.28.59]) by mail.messagingengine.com (Postfix) with ESMTPA id 6CD882466C for ; Wed, 21 Jun 2017 02:18:34 -0400 (EDT) Date: Wed, 21 Jun 2017 02:17:52 -0400 From: Leo Famulari To: bug-guix@gnu.org Subject: Source downloader accepts X.509 certificate for incorrect domain Message-ID: <20170621061752.GA32412@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --/04w6evG8XlLl3ft Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable While working on some package updates, I found that the source code downloader will accept an X.509 certificate for an incorrect site. Here is what happens: ------ $ ./pre-inst-env guix build -S opus-tools --check @ build-started /gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.= 10.tar.gz.drv - x86_64-linux /var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym01z= g7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2 =20 Starting download of /gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-tools= -0.1.10.tar.gz =46rom https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz... =E2=80=A6.1.10.tar.gz 305KiB 822KiB/s 00:00 [###############= #####] 100.0% warning: rewriting hashes in `/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-o= pus-tools-0.1.10.tar.gz'; cross fingers /gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz ------ Here is an example of what I think should happen in this case: ------ $ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz curl: (51) SSL: certificate subject name (osuosl.org) does not match target= host name 'downloads.xiph.org' ------ And this is what Firefox says: ------ downloads.xiph.org uses an invalid security certificate. The certificate is only valid for the following names: osuosl.org, *.osuosl.org =20 Error code: SSL_ERROR_BAD_CERT_DOMAIN ------ --/04w6evG8XlLl3ft Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllKD40ACgkQJkb6MLrK fwi3AxAAy3CP9JTnWDNktV5M0dVzG86s1VJWOJcQ1m3K9Cm6aKvDI3MzeBGW0fQw IWsfT0UUbAmQeSAQeYxkNWciu6k1RfUqYKkIh06YS5UySimK6jPhnNInhcHd/sdM upXvG0s+k8ToUzcTlt1dzB7KLmQ/qcfGpMAI6ccYn4HIx8LVH8QbN0vnpcNAUtYC 2tZPCHeq6noFiKQmTZ6OX7kK3HBidMBQUnGOZT/Ben/ADMToO05T2L/0n3Xed0JW rxjXvzOEa4eiGg/klQdgkwDkBWs3Xim7PCRZGFQASt8rMiyx7bDD8xe3SKK5/3be sWEUzsDiostoRN4SrNhRhFpQLpy5Mvuzcw9JRfuTCgNTTIK0qUVp5M2iJhBAgSfX EA+LKpnu5OwtR/5E/ijQlR5R+H56hs0QEs778BiUt2Ki/lvY8egGfHoqvEUzXh/l EYeuw+OsUgkuJ41yxQvMAyM3dHn/ZlUh0iG/3KsLAZvxVpl5jVq+EIX/8uzK7Wfv Y7Z9NS3nJuab3ez4ckUPWPQt92STh9uhYTJJhJqOqxPuzlt001IoJkSMmHEdaRdL KfJHQ5J7s8Rg7RH2QbkSKeLLqvAOLRcd+p3FyBG9LF7IKOvD2Q8Sltw0++uMQStn eHQePm+CfN1CmkCljlTCA3sKflbBYEAJppO3J5kioSTLmDrk0EY= =iOdX -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- ------------=_1501184102-15344-1--