bug#62656: broken guix time-machine + software-heritage

[Simon Tournier]

Hi,

On jeu., 04 mai 2023 at 15:05, Ludovic Courtès <ludovic.courtes@inria.fr> wrote:

>> Well, I do not see which features will be missing.
>
> Those mentioned earlier, provenance tracking and downgrade detection in
> particular.

Do we care about provenance tracking for this scenario?  Similarly, do
we care about downgrade detection for this scenario?

I mean, we are not talking about a regular scenario but as you said a
worst-case scenario.

Somehow, I am missing where “security” (provenance tracking and
downgrade detection) fits in the picture.

If tomorrow Savannah is totally down and let assume the malicious Eve is
serving https://git.savannah.gnu.org/git/guix.git.  The authentication
is useless since Eve can easily rewrite it.  The only mechanism that
protects Alice is the commit SHA-1 hash she has at hand.  Eve needs to
attack this SHA-1 with some collision.  And if it’s possible to produce
pre-image attack for SHA-1, then nothing would prevent Eve to also
replace the origins of some packages in
https://git.savannah.gnu.org/git/guix.git.

Moreover, cloning from SWH using git-bare is not protecting neither.
Well, you are trusting SWH.  Somehow, you have no mean to be sure that
the repository you get back from SWH is the one you expect.  The only
way is to inspect the signatures; it means the end-user knows exactly
which gpg key from .guix-authorizations they must trust.

Obviously, the former could be injected in the latter. ;-)  Noting that
SWH heavily relies on SHA-1, IIUC.

Yeah, we should talk with SWH’s folks. :-)

Cheers,
simon