From debbugs-submit-bounces@debbugs.gnu.org Thu May 04 14:27:09 2023 Received: (at 62656) by debbugs.gnu.org; 4 May 2023 18:27:09 +0000 Received: from localhost ([127.0.0.1]:52054 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pudfY-0004mh-QE for submit@debbugs.gnu.org; Thu, 04 May 2023 14:27:09 -0400 Received: from mail-wr1-f49.google.com ([209.85.221.49]:41142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pudfU-0004lo-3i for 62656@debbugs.gnu.org; Thu, 04 May 2023 14:27:07 -0400 Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-3063b921c7eso133533f8f.0 for <62656@debbugs.gnu.org>; Thu, 04 May 2023 11:27:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683224818; x=1685816818; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lSPP4eep8XCFNHkyBdsHRmc9u8xDvlCnNj+Gn0JdCCg=; b=kJglbPCl8MQApimDD395iCe5ai+8e4nOAXArBdj1Ytcmevi+VFqNx6tzHrmdhI27sm UKAaSdMd/qdD2yuBNoilfBkmIQPyxie60J0SGXXEX2zcPbws1nNBwIs4wlwWkyTVZRKk wjmG4GMqwDTd/z+Ze5b+LDS15+Zlnd0BC8aIfXU5n1nsKY1BORWw/GokQSB+Wwc4rU3G t6N7//P0MEkNgaTC3K63OTfH/gycwF21YuNA4RAbuwe0OWJYV8nyFkBXMXVNIYq236MG C+smiw27BF/zoT08lcZH5mPPhHUJWH7kawbLivEEU3+X+AzG4jy24FR31gaWXs7y/nQB JOJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683224818; x=1685816818; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lSPP4eep8XCFNHkyBdsHRmc9u8xDvlCnNj+Gn0JdCCg=; b=Buv+cWC+B4hbnwsnNwEU9u3ya2i3wjfcjOYzEIVyP8CnA1g+ZOVLJ0hEmZno1/jawr gWU6OLZ0UqztWf/Lp8Wdsv8Fh1Ldkwv/QZGLH8gBqxrQKAMY1Xj8ibI0pQtWV1vYo3Tl JckUDRLuq4yNL3ks7uyGiS2/zEEaVflVSxpT5gX1mZB/shn5ayLV7MSD/35rbJz6O9s3 LWFO091MO5XRQoZG+fM/fgJA0fzrybR1u38n1rhrcLouHhROP6wUra4eBmZi3N1LxLrN suk9DVYMsLvxJN2Bzh705cH2JPRePkPHyOrTkjBXTltxZRAsufSIGZvjq2pcPHb46Zz7 m6zw== X-Gm-Message-State: AC+VfDyHHwNnp2LQotjhpCZ5se8qhanT8P1LFZIoPnL5h9Uf5OHTbCJw xff5NW9KBmzyMplQQyz7BIAZbHFfb2k= X-Google-Smtp-Source: ACHHUZ5M6CwOUIgevFOcSctAqfIA2C9AY4bBR3/nfw8ABH7rHD8PMefqzAnbnpV5zI+ivx888pokcg== X-Received: by 2002:adf:ee8e:0:b0:2cf:df6d:6063 with SMTP id b14-20020adfee8e000000b002cfdf6d6063mr7644949wro.2.1683224817963; Thu, 04 May 2023 11:26:57 -0700 (PDT) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id r3-20020adfda43000000b003047ae72b14sm29210076wrl.82.2023.05.04.11.26.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 May 2023 11:26:57 -0700 (PDT) From: Simon Tournier To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#62656: broken guix time-machine + software-heritage In-Reply-To: <878re4qmaf.fsf@inria.fr> References: <878rf8hch7.fsf@ngraves.fr> <87pm7rx98e.fsf@gnu.org> <87edo49if5.fsf@gmail.com> <87pm7j9o29.fsf@inria.fr> <86edny1uky.fsf@gmail.com> <87bkj0v9w0.fsf@inria.fr> <878re4qmaf.fsf@inria.fr> Date: Thu, 04 May 2023 19:00:28 +0200 Message-ID: <87mt2k821f.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 62656 Cc: 62656@debbugs.gnu.org, Nicolas Graves X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, On jeu., 04 mai 2023 at 15:05, Ludovic Court=C3=A8s wrote: >> Well, I do not see which features will be missing. > > Those mentioned earlier, provenance tracking and downgrade detection in > particular. Do we care about provenance tracking for this scenario? Similarly, do we care about downgrade detection for this scenario? I mean, we are not talking about a regular scenario but as you said a worst-case scenario. Somehow, I am missing where =E2=80=9Csecurity=E2=80=9D (provenance tracking= and downgrade detection) fits in the picture. If tomorrow Savannah is totally down and let assume the malicious Eve is serving https://git.savannah.gnu.org/git/guix.git. The authentication is useless since Eve can easily rewrite it. The only mechanism that protects Alice is the commit SHA-1 hash she has at hand. Eve needs to attack this SHA-1 with some collision. And if it=E2=80=99s possible to pro= duce pre-image attack for SHA-1, then nothing would prevent Eve to also replace the origins of some packages in https://git.savannah.gnu.org/git/guix.git. Moreover, cloning from SWH using git-bare is not protecting neither. Well, you are trusting SWH. Somehow, you have no mean to be sure that the repository you get back from SWH is the one you expect. The only way is to inspect the signatures; it means the end-user knows exactly which gpg key from .guix-authorizations they must trust. Obviously, the former could be injected in the latter. ;-) Noting that SWH heavily relies on SHA-1, IIUC. Yeah, we should talk with SWH=E2=80=99s folks. :-) Cheers, simon