From unknown Thu Sep 11 15:11:13 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#41907 <41907@debbugs.gnu.org> To: bug#41907 <41907@debbugs.gnu.org> Subject: Status: [security] Substitutes fetched from server with no authorized key Reply-To: bug#41907 <41907@debbugs.gnu.org> Date: Thu, 11 Sep 2025 22:11:13 +0000 retitle 41907 [security] Substitutes fetched from server with no authorized= key reassign 41907 guix submitter 41907 Pierre Neidhardt severity 41907 normal tag 41907 notabug thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 17 03:38:25 2020 Received: (at submit) by debbugs.gnu.org; 17 Jun 2020 07:38:25 +0000 Received: from localhost ([127.0.0.1]:50248 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlSeP-0003BR-4s for submit@debbugs.gnu.org; Wed, 17 Jun 2020 03:38:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:36792) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlSeK-0003BG-FJ for submit@debbugs.gnu.org; Wed, 17 Jun 2020 03:38:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43620) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jlSeI-0003zn-Pm for bug-guix@gnu.org; Wed, 17 Jun 2020 03:38:20 -0400 Received: from relay11.mail.gandi.net ([217.70.178.231]:36419) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jlSdf-0004jM-PE for bug-guix@gnu.org; Wed, 17 Jun 2020 03:38:18 -0400 Received: from mimimi (lfbn-idf2-1-1315-147.w92-169.abo.wanadoo.fr [92.169.129.147]) (Authenticated sender: mail@ambrevar.xyz) by relay11.mail.gandi.net (Postfix) with ESMTPSA id AFC43100004 for ; Wed, 17 Jun 2020 07:37:35 +0000 (UTC) From: Pierre Neidhardt To: bug-guix@gnu.org Subject: [security] Substitutes fetched from server with no authorized key Date: Wed, 17 Jun 2020 09:37:35 +0200 Message-ID: <87k106nnwg.fsf@ambrevar.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=217.70.178.231; envelope-from=mail@ambrevar.xyz; helo=relay11.mail.gandi.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/17 03:37:36 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: 16 X-Spam_score: 1.6 X-Spam_bar: + X-Spam_report: (1.6 / 5.0 requ) BAYES_00=-1.9, FROM_SUSPICIOUS_NTLD=1, FROM_SUSPICIOUS_NTLD_FP=1, NUMERIC_HTTP_ADDR=1.242, PDS_OTHER_BAD_TLD=1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I could be doing something wrong, but... 1. Alice starts `guix publich -u ambrevar`. 2. Bob, who did _not_ authorize Alice's signing key: - herd stop guix-daemon - guix-daemon --build-users-grouop=guixbuild --substitute-urls='http://10.0.0.4 [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] 0.0 NUMERIC_HTTP_ADDR URI: Uses a numeric IP address in URL -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ambrevar.xyz] 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [209.51.188.17 listed in wl.mailspike.net] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I could be doing something wrong, but... 1. Alice starts `guix publich -u ambrevar`. 2. Bob, who did _not_ authorize Alice's signing key: - herd stop guix-daemon - guix-daemon --build-users-grouop=3Dguixbuild --substitute-urls=3D'http= ://10.0.0.4:8080 https://ci.guix.gnu.org' - guix build curl Result: =2D-8<---------------cut here---------------start------------->8--- downloading from http://10.0.0.4:8080/nar/gzip/... =2D-8<---------------cut here---------------end--------------->8--- Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0. Am I missing something or there is something really wrong? =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7pyD8ACgkQm9z0l6S7 zH8Cugf+IAlsX15YU7gqZcJny2L/3pUVxVrFgJe1tCZ7jWEdOZow+uGVSqUujYZ+ Exv4KMc4051Qp5twDXELUpPcT0pmx6jRFd8XHGNg5r9JFIIbeH+XaA/XFc9NPcIL WWo/1vQbrTqfnx6mmlKIVGZu2kAHGqtnWJFcbGRGerVLJG2L7mFfsS7qz/UIyACv z5IkNAO0NOsN/QoN5vvgy+fwxfQZZY17WV3nug0dheD1R5+4arZJ3IAQpbuq3uvp rENfOd47/bOvCMVYgLKvAUXRHRcP6Kib05YrLH8wK29/sl65rnsAZmepiYHFxar+ YxfvPzmta+dNXdqg6tNgVQ81cKCGTQ== =sw4u -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 17 07:05:59 2020 Received: (at 41907) by debbugs.gnu.org; 17 Jun 2020 11:05:59 +0000 Received: from localhost ([127.0.0.1]:50526 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlVtH-000236-6K for submit@debbugs.gnu.org; Wed, 17 Jun 2020 07:05:59 -0400 Received: from lepiller.eu ([89.234.186.109]:35090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlVtD-00022q-QY for 41907@debbugs.gnu.org; Wed, 17 Jun 2020 07:05:58 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id e13b9d42; Wed, 17 Jun 2020 11:05:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:from:message-id; s=dkim; bh=z4yl3Qf31rEB2ZERqOuylzIQPNDpDifdNmkKEEkXQ0o=; b=IWtvx1wpqgow aDP6I14r0EjGEHr7qroG12uMPgdqXlRfwiZacG15Do9AcqX87YeO7Dr6gFKwgiU6 1WaFz3WqTptK5j4PsCDMs07MyFsuiGdYe5/GleQJqGWaXbMOIE+uuvHTMtNNKA5q VjPeyP5t1Fk/J5TbUaEKxOuYHxeI2EbxfidrSzjp7h1oklJELyJCD/nehOzfregv JRRKgQnK7NtwXQ1Z5etdmz1B5DtLgR8f3a8eLawjTQ7iQXIYA4xYREttkPLivy7O DUx4Ro4Nu0x1xVcNKN5sWz8UEO3gnrBIUyCKsDHAgW0mKvQBaWP8dTj5F6Mpj9N7 O6TNnNLPzQ== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 28937200 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 17 Jun 2020 11:05:52 +0000 (UTC) Date: Wed, 17 Jun 2020 07:05:42 -0400 User-Agent: K-9 Mail for Android In-Reply-To: <87k106nnwg.fsf@ambrevar.xyz> References: <87k106nnwg.fsf@ambrevar.xyz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: bug#41907: [security] Substitutes fetched from server with no authorized key To: bug-guix@gnu.org, Pierre Neidhardt , 41907@debbugs.gnu.org From: Julien Lepiller Message-ID: X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Le 17 juin 2020 03:37:35 GMT-04:00, Pierre Neidhardt a écrit : >I could be doing something wrong, but... > >1. Alice starts `guix publich -u ambrevar`. >2. Bob, who did _not_ auth [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: ambrevar.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 NUMERIC_HTTP_ADDR URI: Uses a numeric IP address in URL 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ambrevar.xyz] X-Debbugs-Envelope-To: 41907 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Le 17 juin 2020 03:37:35 GMT-04:00, Pierre Neidhardt = a =C3=A9crit : >I could be doing something wrong, but=2E=2E=2E > >1=2E Alice starts `guix publich -u ambrevar`=2E >2=2E Bob, who did _not_ authorize Alice's signing key: > - herd stop guix-daemon >- guix-daemon --build-users-grouop=3Dguixbuild >--substitute-urls=3D'http://10=2E0=2E0=2E4:8080 https://ci=2Eguix=2Egnu= =2Eorg' > - guix build curl > >Result: > >--8<---------------cut here---------------start------------->8--- >downloading from http://10=2E0=2E0=2E4:8080/nar/gzip/=2E=2E=2E >--8<---------------cut here---------------end--------------->8--- > >Guix commit 8b00728144d0e4bbc740e1595c85f0ecee3f6fb0=2E > >Am I missing something or there is something really wrong? There are two ways that you can get substitutes from unauthorized servers: Substitutes for fixed-output derivations: guix lredy knows the result, so = it doesn't need a signature, it checks the result (not sure this is a thing= ) Substitutes that are reproducible=2E If you have a narinfo from an authori= zed build farm for a package in your local cache and alice's publish server= proposes the same (name and checksum) substitute, you can download it=2E T= his is definitely a thing=2E Other than that, guix should not use alice's substitutes=2E From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 17 07:51:57 2020 Received: (at submit) by debbugs.gnu.org; 17 Jun 2020 11:51:57 +0000 Received: from localhost ([127.0.0.1]:50577 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlWbk-0005Me-Un for submit@debbugs.gnu.org; Wed, 17 Jun 2020 07:51:57 -0400 Received: from lists.gnu.org ([209.51.188.17]:36544) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlWbj-0005MP-66 for submit@debbugs.gnu.org; Wed, 17 Jun 2020 07:51:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46872) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jlWbi-0000Ey-Td for bug-guix@gnu.org; Wed, 17 Jun 2020 07:51:54 -0400 Received: from relay11.mail.gandi.net ([217.70.178.231]:54859) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jlWbg-0004VS-Qo for bug-guix@gnu.org; Wed, 17 Jun 2020 07:51:54 -0400 Received: from bababa (lfbn-idf2-1-1315-147.w92-169.abo.wanadoo.fr [92.169.129.147]) (Authenticated sender: mail@ambrevar.xyz) by relay11.mail.gandi.net (Postfix) with ESMTPSA id 2281C100005; Wed, 17 Jun 2020 11:51:46 +0000 (UTC) From: Pierre Neidhardt To: Julien Lepiller , bug-guix@gnu.org, 41907@debbugs.gnu.org Subject: Re: bug#41907: [security] Substitutes fetched from server with no authorized key In-Reply-To: References: <87k106nnwg.fsf@ambrevar.xyz> Date: Wed, 17 Jun 2020 13:51:46 +0200 Message-ID: <87h7v929m5.fsf@ambrevar.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=217.70.178.231; envelope-from=mail@ambrevar.xyz; helo=relay11.mail.gandi.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/17 07:51:47 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -5 X-Spam_score: -0.6 X-Spam_bar: / X-Spam_report: (-0.6 / 5.0 requ) BAYES_00=-1.9, FROM_SUSPICIOUS_NTLD=1, PDS_OTHER_BAD_TLD=1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.9 (/) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Oh, that makes sense! This is very smart actually! Thanks a lot for the explanation! =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl7qA9IACgkQm9z0l6S7 zH+r3AgAqRIIiJc30UJ4XNyeOMKEIAKYCBSKNdKMccCirT8HimO03X7lH3BBczNJ EtV2id3Hx1PEf42Da0pNp6C0j99rd+qCh4Eewy00OVCNJ+SAM6IBeljE8Psiz4dt aQPlJdOFQhtnY6Fj34SlggUE6GbejJ2+ufp6NhXGjTIrBRti7ym6HbiiIhM+aML7 OGtuUqDurMVcMp+fW1BKGQQuqjevGWBlR/HoxSJq/sMFKXTQ7AC9zaUkC5pruBp8 3r5SbLLF7tG+NWOHFVq4ZJOo2cfNoJ9Q0OJx1ObTsyCL4GvLwJHIn2qMyWtXO1Zj wpuDUD83ismy5F8KuGKAGpSZ9hPkOQ== =J1n6 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 17 07:52:18 2020 Received: (at control) by debbugs.gnu.org; 17 Jun 2020 11:52:18 +0000 Received: from localhost ([127.0.0.1]:50582 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlWc6-0005Ns-6A for submit@debbugs.gnu.org; Wed, 17 Jun 2020 07:52:18 -0400 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:9171) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlWc3-0005Nc-Ee for control@debbugs.gnu.org; Wed, 17 Jun 2020 07:52:17 -0400 X-Originating-IP: 92.169.129.147 Received: from bababa (lfbn-idf2-1-1315-147.w92-169.abo.wanadoo.fr [92.169.129.147]) (Authenticated sender: mail@ambrevar.xyz) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id B6B2824000A for ; Wed, 17 Jun 2020 11:52:08 +0000 (UTC) Date: Wed, 17 Jun 2020 13:52:08 +0200 Message-Id: <87ftat29lj.fsf@ambrevar.xyz> To: control@debbugs.gnu.org From: Pierre Neidhardt Subject: control message for bug #41907 X-Spam-Score: 1.8 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: close 41907 quit Content analysis details: (1.8 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [217.70.183.193 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.183.193 listed in list.dnswl.org] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.2 (-) close 41907 quit From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 19 16:51:30 2020 Received: (at control) by debbugs.gnu.org; 19 Jun 2020 20:51:30 +0000 Received: from localhost ([127.0.0.1]:56920 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jmNz0-0002Xc-1C for submit@debbugs.gnu.org; Fri, 19 Jun 2020 16:51:30 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40976) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jmNyx-0002XO-Rx for control@debbugs.gnu.org; Fri, 19 Jun 2020 16:51:28 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:56253) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jmNys-0000EH-IV for control@debbugs.gnu.org; Fri, 19 Jun 2020 16:51:22 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=39330 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jmNyr-0007P6-Ve for control@debbugs.gnu.org; Fri, 19 Jun 2020 16:51:22 -0400 Date: Fri, 19 Jun 2020 22:51:20 +0200 Message-Id: <87eeqaeq47.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #41907 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 41907 + notabug quit From unknown Thu Sep 11 15:11:13 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 18 Jul 2020 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator