GNU bug report logs - #62656
Cannot fallback to SWH for Guix channel

Previous Next

Package: guix;

Reported by: Nicolas Graves <ngraves <at> ngraves.fr>

Date: Mon, 3 Apr 2023 21:40:01 UTC

Severity: important

Done: Nicolas Graves <ngraves <at> ngraves.fr>

Bug is archived. No further changes may be made.

Full log

Message #37 received at 62656 <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Ludovic Courtès <ludovic.courtes <at> inria.fr>
Cc: 62656 <at> debbugs.gnu.org, Nicolas Graves <ngraves <at> ngraves.fr>
Subject: Re: bug#62656: broken guix time-machine + software-heritage
Date: Thu, 04 May 2023 19:00:28 +0200

Hi,

On jeu., 04 mai 2023 at 15:05, Ludovic Courtès <ludovic.courtes <at> inria.fr> wrote:

>> Well, I do not see which features will be missing.
>
> Those mentioned earlier, provenance tracking and downgrade detection in
> particular.

Do we care about provenance tracking for this scenario?  Similarly, do
we care about downgrade detection for this scenario?

I mean, we are not talking about a regular scenario but as you said a
worst-case scenario.

Somehow, I am missing where “security” (provenance tracking and
downgrade detection) fits in the picture.

If tomorrow Savannah is totally down and let assume the malicious Eve is
serving https://git.savannah.gnu.org/git/guix.git.  The authentication
is useless since Eve can easily rewrite it.  The only mechanism that
protects Alice is the commit SHA-1 hash she has at hand.  Eve needs to
attack this SHA-1 with some collision.  And if it’s possible to produce
pre-image attack for SHA-1, then nothing would prevent Eve to also
replace the origins of some packages in
https://git.savannah.gnu.org/git/guix.git.

Moreover, cloning from SWH using git-bare is not protecting neither.
Well, you are trusting SWH.  Somehow, you have no mean to be sure that
the repository you get back from SWH is the one you expect.  The only
way is to inspect the signatures; it means the end-user knows exactly
which gpg key from .guix-authorizations they must trust.

Obviously, the former could be injected in the latter. ;-)  Noting that
SWH heavily relies on SHA-1, IIUC.

Yeah, we should talk with SWH’s folks. :-)

Cheers,
simon
This bug report was last modified 1 year and 109 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.