Hi! Simon Tournier <zimon.touto...@gmail.com> skribis:
> On jeu., 04 mai 2023 at 15:05, Ludovic Courtès <ludovic.cour...@inria.fr> > wrote: > >>> Well, I do not see which features will be missing. >> >> Those mentioned earlier, provenance tracking and downgrade detection in >> particular. > > Do we care about provenance tracking for this scenario? Similarly, do > we care about downgrade detection for this scenario? Provenance tracking, yes. I wrote about the current status: (guix describe), (guix channels), etc. expect a full Git repo, which is why things are done this way. We could imagine a different design, but that’s a broader endeavor. [...] > If tomorrow Savannah is totally down and let assume the malicious Eve is > serving https://git.savannah.gnu.org/git/guix.git. The authentication > is useless since Eve can easily rewrite it. The authentication mechanism is designed to make this impossible. That’s why one can run: guix pull --url=https://github.com/guix-mirror/guix without fear (worst that can happen is that the mirror is stale). > The only mechanism that protects Alice is the commit SHA-1 hash she > has at hand. Eve needs to attack this SHA-1 with some collision. And > if it’s possible to produce pre-image attack for SHA-1, then nothing > would prevent Eve to also replace the origins of some packages in > https://git.savannah.gnu.org/git/guix.git. True to some extent—see the section about SHA1 in the Programming paper¹. Ludo’. ¹ https://doi.org/10.22152/programming-journal.org/2023/7/1