[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#62656: broken guix time-machine + software-heritage
From: |
Ludovic Courtès |
Subject: |
bug#62656: broken guix time-machine + software-heritage |
Date: |
Fri, 05 May 2023 09:36:43 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi!
Simon Tournier <zimon.toutoune@gmail.com> skribis:
> On jeu., 04 mai 2023 at 15:05, Ludovic Courtès <ludovic.courtes@inria.fr>
> wrote:
>
>>> Well, I do not see which features will be missing.
>>
>> Those mentioned earlier, provenance tracking and downgrade detection in
>> particular.
>
> Do we care about provenance tracking for this scenario? Similarly, do
> we care about downgrade detection for this scenario?
Provenance tracking, yes. I wrote about the current status: (guix
describe), (guix channels), etc. expect a full Git repo, which is why
things are done this way.
We could imagine a different design, but that’s a broader endeavor.
[...]
> If tomorrow Savannah is totally down and let assume the malicious Eve is
> serving https://git.savannah.gnu.org/git/guix.git. The authentication
> is useless since Eve can easily rewrite it.
The authentication mechanism is designed to make this impossible.
That’s why one can run:
guix pull --url=https://github.com/guix-mirror/guix
without fear (worst that can happen is that the mirror is stale).
> The only mechanism that protects Alice is the commit SHA-1 hash she
> has at hand. Eve needs to attack this SHA-1 with some collision. And
> if it’s possible to produce pre-image attack for SHA-1, then nothing
> would prevent Eve to also replace the origins of some packages in
> https://git.savannah.gnu.org/git/guix.git.
True to some extent—see the section about SHA1 in the Programming paper¹.
Ludo’.
¹ https://doi.org/10.22152/programming-journal.org/2023/7/1