On 2024-11-11 20:46, Suhail Singh wrote: > Saku Laesvuori via Bug reports for GNU Guix <bug-guix@gnu.org> writes: > >> Anyway, I am not opposed to this change. The only effects for my use >> cases are positive (nicer UI with the --allow flag). I just want to >> point out that I don't think this makes any attacks significantly >> harder. > > FWIW, this summarizes my belief as well. I do see some improvements in > convenience, but the threat model where this improves security (threat > actor has access to the repository, but the files are such that the > threat actor isn't able to modify their semantics without first > modifying the files) seems contrived. Am I mistaken? > > If not, while I don't have objections to the change (and do believe it > has some value), I do have reservations about claiming security > benefits.
My last message to Saku basically agreed to this ;) I still think it improves it for my specific use-case and for the addition of explicit user agreement to load code exterior to manifest/guix.scm in the case this file is trusted but compromised. But I agree the first message was probably too focussed on marginal security improvements and we shouldn't sell a false promise that could make people less careful. I'm actually willing to improve that patch series if you have better ideas/implementations, I was just building on what I know (direnv/.dir-locals.el). Maybe we should only allow to automatically run when the manifest is able to build without network access in container mode. Or include things like automatic git commit authentication on such allowed repositories. But I'm not sure if they are convenient or easy to implement, or make sense. -- Best regards, Nicolas Graves
