Hi!

Simon Tournier <zimon.touto...@gmail.com> skribis:

> On jeu., 04 mai 2023 at 15:05, Ludovic Courtès <ludovic.cour...@inria.fr> 
> wrote:
>
>>> Well, I do not see which features will be missing.
>>
>> Those mentioned earlier, provenance tracking and downgrade detection in
>> particular.
>
> Do we care about provenance tracking for this scenario?  Similarly, do
> we care about downgrade detection for this scenario?

Provenance tracking, yes.  I wrote about the current status: (guix
describe), (guix channels), etc. expect a full Git repo, which is why
things are done this way.

We could imagine a different design, but that’s a broader endeavor.

[...]

> If tomorrow Savannah is totally down and let assume the malicious Eve is
> serving https://git.savannah.gnu.org/git/guix.git.  The authentication
> is useless since Eve can easily rewrite it.

The authentication mechanism is designed to make this impossible.
That’s why one can run:

  guix pull --url=https://github.com/guix-mirror/guix

without fear (worst that can happen is that the mirror is stale).

> The only mechanism that protects Alice is the commit SHA-1 hash she
> has at hand.  Eve needs to attack this SHA-1 with some collision.  And
> if it’s possible to produce pre-image attack for SHA-1, then nothing
> would prevent Eve to also replace the origins of some packages in
> https://git.savannah.gnu.org/git/guix.git.

True to some extent—see the section about SHA1 in the Programming paper¹.

Ludo’.

¹ https://doi.org/10.22152/programming-journal.org/2023/7/1



Reply via email to