Hi, On jeu., 04 mai 2023 at 15:05, Ludovic Courtès <ludovic.cour...@inria.fr> wrote:
>> Well, I do not see which features will be missing. > > Those mentioned earlier, provenance tracking and downgrade detection in > particular. Do we care about provenance tracking for this scenario? Similarly, do we care about downgrade detection for this scenario? I mean, we are not talking about a regular scenario but as you said a worst-case scenario. Somehow, I am missing where “security” (provenance tracking and downgrade detection) fits in the picture. If tomorrow Savannah is totally down and let assume the malicious Eve is serving https://git.savannah.gnu.org/git/guix.git. The authentication is useless since Eve can easily rewrite it. The only mechanism that protects Alice is the commit SHA-1 hash she has at hand. Eve needs to attack this SHA-1 with some collision. And if it’s possible to produce pre-image attack for SHA-1, then nothing would prevent Eve to also replace the origins of some packages in https://git.savannah.gnu.org/git/guix.git. Moreover, cloning from SWH using git-bare is not protecting neither. Well, you are trusting SWH. Somehow, you have no mean to be sure that the repository you get back from SWH is the one you expect. The only way is to inspect the signatures; it means the end-user knows exactly which gpg key from .guix-authorizations they must trust. Obviously, the former could be injected in the latter. ;-) Noting that SWH heavily relies on SHA-1, IIUC. Yeah, we should talk with SWH’s folks. :-) Cheers, simon
