[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New “guix refresh” command
|
From: |
Ludovic Courtès |
|
Subject: |
Re: New “guix refresh” command |
|
Date: |
Fri, 10 May 2013 15:11:34 +0200 |
|
User-agent: |
Gnus/5.130005 (Ma Gnus v0.5) Emacs/24.3 (gnu/linux) |
Nikita Karetnikov <address@hidden> skribis:
>> Objects aren’t malicious. Perhaps you’re talking about situations where
>> a mirror provides a tarball along with a valid signature, but said
>> signature is made with a random key, and the tarball is actually not
>> genuine, right?
>
> Yep.
>
>> Second, this is the same model as used by the OpenSSH client. When the
>> client is first introduced to a host, it presents you its key
>> fingerprint, you type ‘y’, and that key gets added to your known hosts
>> file. From there on, person-in-the-middle attacks are trivially
>> detected as a key mismatch.
>
> AFAICT, 'guix refresh' doesn't allow to check fingerprints. If so, we
> must change it.
It doesn’t ask you to type ‘y’, but it does display the key fingerprint
when it first downloads it (well, gpg does.)
> Am I mistaken? I'm not sure because it fails on my machine:
>
> # ./pre-inst-env guix refresh -u
>
> [...]
>
> In execlp of gpg2: No such file or directory
You need to have GnuPG 2.x installed:
guix package -i gnupg
> guix refresh: warning: signature verification failed for `guile-2.0.9.tar.gz'
> guix refresh: warning: (could be because the public key is not in your
> keyring)
> gnu/packages/guile.scm:48:12: guile: updating from version 1.8.8 to version
> 2.0.9...
(Of course it shouldn’t try to update 1.8 to 2.0; future work...)
[...]
> In guix/scripts/refresh.scm:
> 167: 2 [#<procedure 98580e0 at guix/scripts/refresh.scm:151:22 (package)> #]
> In ice-9/boot-9.scm:
> 788: 1 [call-with-input-file #f ...]
> In unknown file:
> ?: 0 [open-file #f "r" #:encoding #f #:guess-encoding #f]
>
> ERROR: In procedure open-file:
> ERROR: Wrong type (expecting string): #f
I’ve just changed it to gracefully handle this case.
>> It’s exactly what I would do manually. What about you?
>
> It depends. I usually use a similar page [1] to compare fingerprints
> and also check via keys.gnupg.net.
Well, it’s not clear that checking the checksum published on a web page
adds much to checking against a freshly download tarball (a sufficiently
motivated attacker could just as well be serving you a modified web
page, after all.)
>>> Is it possible to use three mirrors to check keys and tarballs?
>
>> Check against what? What do you want to address?
>
> Check them against each other. But it's not the case because 'guix
> refresh' uses one server per package.
Hmm I tend to think this is unneeded paranoia, because such things are
eventually checked by all of us anyway.
(BTW, keep in mind that Git commits are not signed. That would be by
far the easiest attack vector.)
Ludo’.
- Re: New “guix refresh” command, Nikita Karetnikov, 2013/05/07
- Re: New “guix refresh” command, Ludovic Courtès, 2013/05/07
- Re: New “guix refresh” command, Nikita Karetnikov, 2013/05/09
- Re: New “guix refresh” command,
Ludovic Courtès <=
- Re: New “guix refresh” command, Nikita Karetnikov, 2013/05/10
- Re: New “guix refresh” command, Ludovic Courtès, 2013/05/11
- Re: New “guix refresh” command, Nikita Karetnikov, 2013/05/11
- Re: New “guix refresh” command, Nikita Karetnikov, 2013/05/24
- Re: New “guix refresh” command, Ludovic Courtès, 2013/05/24
- Re: New “guix refresh” command, Nikita Karetnikov, 2013/05/29