GNU bug report logs -
#61277
FR: ELPA security - Restrict package builds to signed git commits
Previous Next
To reply to this bug, email your comments to 61277 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Sat, 04 Feb 2023 18:20:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Daniel Mendler <mail <at> daniel-mendler.de>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Sat, 04 Feb 2023 18:20:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
As discussed on emacs-devel it would be good if ELPA security could be
improved, preventing potential breaches on the side of the source
repository. This feature becomes more relevant the more packages are
:auto-sync'ed from their source repository.
My git commits are usually signed, so one could check the signature of
each commit which leads to a package build. This feature could be opt-in
for now, enabled via an attribute :signature in the elpa-packages
configuration. Maybe elpa-packages could store the fingerprint(s) of the
expected GPG key(s)?
In the case of a breach, both the SSH and GPG keys may be stolen, which
would allow an attacker to create commits on hosted repositories, such
that the mechanism would not help. However the source repository may
also get compromised via other vectors.
https://lists.gnu.org/archive/html/emacs-devel/2023-02/msg00120.html
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Sun, 05 Feb 2023 11:20:01 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
Daniel Mendler <mail <at> daniel-mendler.de> writes:
> My git commits are usually signed, so one could check the signature of
> each commit which leads to a package build. This feature could be opt-in
> for now, enabled via an attribute :signature in the elpa-packages
> configuration. Maybe elpa-packages could store the fingerprint(s) of the
> expected GPG key(s)?
I think that requiring every single commit to be signed is an overkill.
Maybe just the release tags?
I guess, :signature, if optional, may allow multiple levels of
verification:
1. nil :: no verification
2. (tags key1 key2 ...) :: verify release tags to match any of the
listed GPG keys
3. (commits key1 key2 ...) :: verify every commit
I am not sure what would be the most reliable way to specify the keys.
Also, people with write access to ELPA repo may be required to sign
their commits -- in the case of security breach if the SSH key gets
stolen, signing may be a barrier to protect altering the elpa-packages
configuration from injecting malicious GPG keys.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Tue, 07 Feb 2023 03:57:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 61277 <at> debbugs.gnu.org (full text, mbox):
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> As discussed on emacs-devel it would be good if ELPA security could be
> improved, preventing potential breaches on the side of the source
> repository. This feature becomes more relevant the more packages are
> :auto-sync'ed from their source repository.
I agree that we need to clean up the social system for maintaining GNU ELPA
packages. It should be as clear and documented as that for Emacs core.
> My git commits are usually signed, so one could check the signature of
> each commit which leads to a package build. This feature could be opt-in
> for now, enabled via an attribute :signature in the elpa-packages
> configuration. Maybe elpa-packages could store the fingerprint(s) of the
> expected GPG key(s)?
What do other maintainers think of this?
It addresses one ways of handlng GNU ELPA packagesm, but not all GNU
ELPA packages are handled in this way. What other categories of
packages do we need to consider?
> In the case of a breach,
Breach of precisely what? To think about this issue
requires an answer to that question.
both the SSH and GPG keys may be stolen, which
> would allow an attacker to create commits on hosted repositories, such
> that the mechanism would not help. However the source repository may
> also get compromised via other vectors.
Is this a problem that has a solution?
Should we move this to emacs-devel? A specific bug ticket
is not the right place for such an important topic.
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Tue, 07 Feb 2023 11:45:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 61277 <at> debbugs.gnu.org (full text, mbox):
Richard Stallman <rms <at> gnu.org> writes:
> Should we move this to emacs-devel? A specific bug ticket
> is not the right place for such an important topic.
This was explicitly requested to be made into a bug ticket on
emacs-devel. See
https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg <at> mail.gmail.com
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Tue, 07 Feb 2023 12:11:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 61277 <at> debbugs.gnu.org (full text, mbox):
> Cc: 61277 <at> debbugs.gnu.org, stefan <at> marxist.se, yantar92 <at> posteo.net,
> monnier <at> iro.umontreal.ca
> From: Richard Stallman <rms <at> gnu.org>
> Date: Mon, 06 Feb 2023 22:56:35 -0500
>
> > My git commits are usually signed, so one could check the signature of
> > each commit which leads to a package build. This feature could be opt-in
> > for now, enabled via an attribute :signature in the elpa-packages
> > configuration. Maybe elpa-packages could store the fingerprint(s) of the
> > expected GPG key(s)?
>
> What do other maintainers think of this?
I don't have an opinion. Frankly, I don't really understand what
would signing commits give in this regard, given that people who
install a package normally install a tarball, they don't clone the Git
repository. I also don't think the goals were stated clearly, so it's
hard to reason about this. But then I'm nowhere near being an expert
on this stuff, so I could easily miss something important.
> Should we move this to emacs-devel? A specific bug ticket
> is not the right place for such an important topic.
Agreed.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Tue, 07 Feb 2023 12:41:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 61277 <at> debbugs.gnu.org (full text, mbox):
> Cc: Daniel Mendler <mail <at> daniel-mendler.de>, 61277 <at> debbugs.gnu.org,
> stefan <at> marxist.se, monnier <at> iro.umontreal.ca
> From: Ihor Radchenko <yantar92 <at> posteo.net>
> Date: Tue, 07 Feb 2023 11:44:31 +0000
>
> Richard Stallman <rms <at> gnu.org> writes:
>
> > Should we move this to emacs-devel? A specific bug ticket
> > is not the right place for such an important topic.
>
> This was explicitly requested to be made into a bug ticket on
> emacs-devel. See
> https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg <at> mail.gmail.com
The bug report is OK, but we want to discuss more general issues, I
think.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Thu, 09 Feb 2023 04:29:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 61277 <at> debbugs.gnu.org (full text, mbox):
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
I wrote:
> > Should we move this to emacs-devel? A specific bug ticket
> > is not the right place for such an important topic.
You replied:
> This was explicitly requested to be made into a bug ticket on
> emacs-devel. See
> https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg <at> mail.gmail.com
I looked at that URL but I can't understand what it says. I see
several ways to parse "This was explicitly requested to be made into a
bug ticket on emacs-devel" so I don't know what it means. Can you
state your point more explicitly and not tersely?
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Thu, 09 Feb 2023 12:08:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 61277 <at> debbugs.gnu.org (full text, mbox):
Richard Stallman <rms <at> gnu.org> writes:
> > This was explicitly requested to be made into a bug ticket on
> > emacs-devel. See
> > https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg <at> mail.gmail.com
>
> I looked at that URL but I can't understand what it says. I see
> several ways to parse "This was explicitly requested to be made into a
> bug ticket on emacs-devel" so I don't know what it means. Can you
> state your point more explicitly and not tersely?
I meant that Daniel submitted this bug ticket after Stefan's message
stating that
>>> I think we should add some flag to the build system saying that a
>>> package should only be released if the new tag has a valid signature...
>>>
>>> IMO, opening a feature request for this in the bug tracker would be
>>> useful. A patch would be even better.
The emacs-devel discussion that includes the topic of this FR has been
started earlier in the thread I linked to. So, there is no need to move
this FR to emacs-devel - it is already being discussed there.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Sun, 12 Feb 2023 04:05:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 61277 <at> debbugs.gnu.org (full text, mbox):
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> > I looked at that URL but I can't understand what it says. I see
> > several ways to parse "This was explicitly requested to be made into a
> > bug ticket on emacs-devel" so I don't know what it means. Can you
> > state your point more explicitly and not tersely?
> I meant that Daniel submitted this bug ticket after Stefan's message
> stating that
> >>> I think we should add some flag to the build system saying that a
> >>> package should only be released if the new tag has a valid signature...
> >>>
> >>> IMO, opening a feature request for this in the bug tracker would be
> >>> useful. A patch would be even better.
Now I think I understand.
Thanks, Daniel. That was a useful thing to do.
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Sun, 12 Feb 2023 06:38:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 61277 <at> debbugs.gnu.org (full text, mbox):
Richard Stallman <rms <at> gnu.org> writes:
> > In the case of a breach,
>
> Breach of precisely what? To think about this issue
> requires an answer to that question.
The idea is that the likelihood of both an SSH and a PGP key getting
stolen at the same time is lower than either one of them getting stolen
separately.
>
> both the SSH and GPG keys may be stolen, which
> > would allow an attacker to create commits on hosted repositories, such
> > that the mechanism would not help.
>
> Is this a problem that has a solution?
Yes, for example you could you could put your PGP key (usually a subkey)
on a smartcard, and have no copy on the local filesystem.
PGP keys usually also have an additional password, in addition to the
one that developers normally (we hope) use for their SSH key.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Sun, 12 Feb 2023 10:33:01 GMT)
Full text and
rfc822 format available.
Message #35 received at 61277 <at> debbugs.gnu.org (full text, mbox):
On 2/12/23 07:37, Stefan Kangas wrote:
>> Breach of precisely what? To think about this issue
>> requires an answer to that question.
>
> The idea is that the likelihood of both an SSH and a PGP key getting
> stolen at the same time is lower than either one of them getting stolen
> separately.
There could also be a breach on the server where the git repository is
hosted. The repository could be manipulated directly on the server. It
is not that likely but if such incidents happen they have a huge
fallout. I also expect that more and more people move their
:auto-sync'ed git repositories to private servers or smaller forges,
which may not be as protected as the most popular ones.
Daniel
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Wed, 15 Feb 2023 05:18:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 61277 <at> debbugs.gnu.org (full text, mbox):
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> > > In the case of a breach,
> >
> > Breach of precisely what? To think about this issue
> > requires an answer to that question.
> The idea is that the likelihood of both an SSH and a PGP key getting
> stolen at the same time is lower than either one of them getting stolen
> separately.
That seems plausible to me, but we are miscommunicating.
You're discussing the "how" of a possible breach,
but what I really need to know is the "what".
What is being breached? What is the context here?
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Wed, 15 Feb 2023 05:18:02 GMT)
Full text and
rfc822 format available.
Message #41 received at 61277 <at> debbugs.gnu.org (full text, mbox):
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> There could also be a breach on the server where the git repository is
> hosted. The repository could be manipulated directly on the server. It
> is not that likely but if such incidents happen they have a huge
> fallout. I also expect that more and more people move their
> :auto-sync'ed git repositories to private servers or smaller forges,
> which may not be as protected as the most popular ones.
Do we know of any security experts who appeciate the moral principles
of free software, who could help us come up with methods that properly
handle both?
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Wed, 15 Feb 2023 13:38:01 GMT)
Full text and
rfc822 format available.
Message #44 received at 61277 <at> debbugs.gnu.org (full text, mbox):
Richard Stallman <rms <at> gnu.org> writes:
> You're discussing the "how" of a possible breach,
> but what I really need to know is the "what".
> What is being breached? What is the context here?
The "what" is the git repository of a GNU ELPA or NonGNU ELPA package.
If an attacker can introduce a commit containing malicious code, and
create a new git tag pointing to that commit, the GNU ELPA scripts will
fetch it, and release a new version of the package (now including the
malicious code). By requiring tags to be cryptographically signed, we
can have a greater confidence that any new tag has at the very least
been signed off by the developer him/herself.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Wed, 15 Feb 2023 16:41:02 GMT)
Full text and
rfc822 format available.
Message #47 received at 61277 <at> debbugs.gnu.org (full text, mbox):
> If an attacker can introduce a commit containing malicious code, and
> create a new git tag pointing to that commit, the GNU ELPA scripts will
> fetch it, and release a new version of the package (now including the
> malicious code). By requiring tags to be cryptographically signed, we
> can have a greater confidence that any new tag has at the very least
> been signed off by the developer him/herself.
Technical nitpick: currently, the elpa.gnu.org scripts do not pay
attention to any Git tags (signed or not) to do their work. We only use
the commits and their contents/history.
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#61277; Package
emacs.
(Sun, 26 Feb 2023 03:00:03 GMT)
Full text and
rfc822 format available.
Message #50 received at 61277 <at> debbugs.gnu.org (full text, mbox):
Please forgive my delay in replying.
> If an attacker can introduce a commit containing malicious code, and
> create a new git tag pointing to that commit, the GNU ELPA scripts will
> fetch it, and release a new version of the package (now including the
> malicious code). By requiring tags to be cryptographically signed, we
> can have a greater confidence that any new tag has at the very least
> been signed off by the developer him/herself.
This seems wise to me. Does anyone have arguments against?
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Added tag(s) security.
Request was from
Stefan Kangas <stefankangas <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Mon, 04 Sep 2023 09:08:02 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 285 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.