GNU bug report logs - #41907
[security] Substitutes fetched from server with no authorized key

Previous Next

Package: guix;

Reported by: Pierre Neidhardt <mail <at> ambrevar.xyz>

Date: Wed, 17 Jun 2020 07:39:01 UTC

Severity: normal

Tags: notabug

Done: Pierre Neidhardt <mail <at> ambrevar.xyz>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 41907 in the body.
You can then email your comments to 41907 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#41907; Package guix. (Wed, 17 Jun 2020 07:39:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Pierre Neidhardt <mail <at> ambrevar.xyz>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 17 Jun 2020 07:39:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Pierre Neidhardt <mail <at> ambrevar.xyz>
To: bug-guix <at> gnu.org
Subject: [security] Substitutes fetched from server with no authorized key
Date: Wed, 17 Jun 2020 09:37:35 +0200

[Message part 1 (text/plain, inline)]
I could be doing something wrong, but...

1. Alice starts `guix publich -u ambrevar`.
2. Bob, who did _not_ authorize Alice's  signing key:
   - herd stop guix-daemon
   - guix-daemon --build-users-grouop=guixbuild --substitute-urls='http://10.0.0.4:8080 https://ci.guix.gnu.org'
   - guix build curl

Result:

--8<---------------cut here---------------start------------->8---
downloading from http://10.0.0.4:8080/nar/gzip/...
--8<---------------cut here---------------end--------------->8---

Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0.

Am I missing something or there is something really wrong?

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#41907; Package guix. (Wed, 17 Jun 2020 11:06:02 GMT) Full text and rfc822 format available.

Message #8 received at 41907 <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: bug-guix <at> gnu.org, Pierre Neidhardt <mail <at> ambrevar.xyz>,
 41907 <at> debbugs.gnu.org
Subject: Re: bug#41907: [security] Substitutes fetched from server with no
 authorized key
Date: Wed, 17 Jun 2020 07:05:42 -0400

Le 17 juin 2020 03:37:35 GMT-04:00, Pierre Neidhardt <mail <at> ambrevar.xyz> a écrit :
>I could be doing something wrong, but...
>
>1. Alice starts `guix publich -u ambrevar`.
>2. Bob, who did _not_ authorize Alice's  signing key:
>   - herd stop guix-daemon
>- guix-daemon --build-users-grouop=guixbuild
>--substitute-urls='http://10.0.0.4:8080 https://ci.guix.gnu.org'
>   - guix build curl
>
>Result:
>
>--8<---------------cut here---------------start------------->8---
>downloading from http://10.0.0.4:8080/nar/gzip/...
>--8<---------------cut here---------------end--------------->8---
>
>Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0.
>
>Am I missing something or there is something really wrong?

There are two ways that you can get substitutes from unauthorized servers:

Substitutes for fixed-output derivations: guix lredy knows the result, so it doesn't need a signature, it checks the result (not sure this is a thing)

Substitutes that are reproducible. If you have a narinfo from an authorized build farm for a package in your local cache and alice's publish server proposes the same (name and checksum) substitute, you can download it. This is definitely a thing.

Other than that, guix should not use alice's substitutes.
Information forwarded to bug-guix <at> gnu.org:
bug#41907; Package guix. (Wed, 17 Jun 2020 11:07:01 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#41907; Package guix. (Wed, 17 Jun 2020 11:52:01 GMT) Full text and rfc822 format available.

Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Pierre Neidhardt <mail <at> ambrevar.xyz>
To: Julien Lepiller <julien <at> lepiller.eu>, bug-guix <at> gnu.org,
 41907 <at> debbugs.gnu.org
Subject: Re: bug#41907: [security] Substitutes fetched from server with no
 authorized key
Date: Wed, 17 Jun 2020 13:51:46 +0200

[Message part 1 (text/plain, inline)]
Oh, that makes sense!
This is very smart actually!

Thanks a lot for the explanation!

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#41907; Package guix. (Wed, 17 Jun 2020 11:52:02 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 41907 <at> debbugs.gnu.org and Pierre Neidhardt <mail <at> ambrevar.xyz> Request was from Pierre Neidhardt <mail <at> ambrevar.xyz> to control <at> debbugs.gnu.org. (Wed, 17 Jun 2020 11:53:01 GMT) Full text and rfc822 format available.
Added tag(s) notabug. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Fri, 19 Jun 2020 20:52:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 18 Jul 2020 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 5 years and 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.