Re: “Building a Secure Software Supply Chain with GNU Guix”

[Zhu Zihao]

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

>> We have PGP sign and git commit chain to make sure the commits are
>> committed by trusted people. But it's still possible for the channel
>> owner to inject malicious code into the channel in a future commit. Like
>> what Marak Squires did in faker.js project :( or the committer of Guix
>> was attacked by an evil maid.
>
> I’m not aware of the faker.js story, do you have a link?

https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Here's a detailed report about Marak and faker.js.

>> In Nix flakes, there's pure evaluation to make sure no side-effectful
>> code is allowed. But Guix channel is less restricted than a Nix flake.
>> It's a important problem to make sure the evaluation is safe for the user.
>
> Yes, I understand.  I don’t think that makes a practical difference
> though: when you pull from a Guix channel or fetch a Nix flake, that’s
> because you want to install software according to what that
> channel/flake provides.  So whether evil code is in the channel/flake
> (as Scheme/Nix code) or in the package(s) themselves makes little
> difference.
>
> Does that make sense?

My two cents: When depolying a manifest, we use `guix package -p
<path-to-profile> -m <path-to-manifest>`, This command consists two
parts. Guix will first evaluate the packages specified in the manifest,
and build the profile. And then populate the profile to given
destination. The first part can be done in a sandboxed environment, or a
non-privileged account like "nobody".

-- 
Retrieve my PGP public key:

  gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744

Zihao

signature.asc
Description: PGP signature