On Wed, Feb 05, 2020 at 11:34:49AM +0100, Damien Cassou wrote: > "Leo Famulari" <l...@famulari.name> writes: > > So, someone who could MITM as <https://ci.guix.gnu.org> could use their > > own X.509 certificate and pretend to be that server. > > IIUC, you agree with me that an attacker can't change the content of > packages but can inspect what a user installs. This seems to contradict > this paragraph: > > > HTTPS is recommended because communications are encrypted; conversely, > > using HTTP makes all communications visible to an eavesdropper, who > > could use the information gathered to determine, for instance, whether > > your system has unpatched security vulnerabilities.
It is somewhat contradictory. The server that sends your substitutes knows what substitutes you request, by definition. How important is that information, and what tradeoffs are we willing to make to protect it? Guix protects this information from passive eavesdroppers but not an active MITM. The real important thing is, what substitutes are you requesting? This is based on your Guix code, and we do authenticate the server you request that from (`guix pull`). The next step is to start using code-signing there. This is a work in progress. > If you believe the text is good as it is, please just ignore me and > close the ticket. Okay, closed. Please let us know if you think the text can be improved.
