Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WoT verify pinned nixpkgs #78

Closed
wants to merge 1 commit into from
Closed

Conversation

nixbitcoin
Copy link
Member

@nixbitcoin nixbitcoin commented Jun 4, 2019

This PR sets up criteria and procedure for verifying pinned nixpkgs and nixpkgs-unstable commits. Additionally it provides a list of nixpkgs maintainer keys that fully or partially meet the criteria. The standards described could be automated in a script for easy verification.

It is worth discussing how much security this additional effort actually provides.

Closes #75

Copy link
Member

@jonasnick jonasnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for writing this up and verifying the maintainers. This is actually quite cool!
A few considerations:

  • What if we desparately need a fix that's not yet buried in a signed commit?
  • What if we miss an important fix by accident during the regular update because it's not yet buried in a signed commit?
  • Before we merge this we need a script that does everything automatically because it's quite boring to search for a signed commit from the list. Perhaps this whole PR can be a script so we don't have gpg keys in both a markdown file and a script which makes maintainability harder? Ideally the script would recv the keys, clone both nixos-unstable and nixos-19.03 into a temporary dir and then produce a nixpkgs-pinned.nix file.


Procedure
---
1. Search for most recent signed commit on [nixos-19.03](https://github.com/NixOS/nixpkgs-channels/commits/nixos-19.03) or [nixos-unstable](https://github.com/NixOS/nixpkgs-channels/commits/nixos-unstable)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/or/and

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK

@nixbitcoin
Copy link
Member Author

What if we desparately need a fix that's not yet buried in a signed commit?

We can always manually add a commit hash to nixpkgs-pinned.nix in emergencies. The standard could reflect this. In that case we would just not use the script and revert to manually updating.

What if we miss an important fix by accident during the regular update because it's not yet buried in a signed commit?

Quite a few of the recent commits in https://github.com/NixOS/nixpkgs-channels/commits/nixos-19.03 and https://github.com/NixOS/nixpkgs-channels/commits/nixos-unstable are properly signed according to our specifications, which should include all the previously buried updates. The script could introduce a time limit on how recent the commit must be, and throw an error if the latest properly signed commit is too old.

Before we merge this we need a script that does everything automatically because it's quite boring to search for a signed commit from the list. Perhaps this whole PR can be a script so we don't have gpg keys in both a markdown file and a script which makes maintainability harder? Ideally the script would recv the keys, clone both nixos-unstable and nixos-19.03 into a temporary dir and then produce a nixpkgs-pinned.nix file.

Yes, will do. What do you think about this script getting the fingerprints from a list of manually verified maintainer key fingerprints signed by one of our keys? This could be a way to cryptographically certify keys with information from different sources, like Keybase, websites, and GPG WoT. Or would there be a more elegant way to verify fingerprints from Keybase proofs, WoT, and websites in a scripted way?

@nixbitcoin nixbitcoin added this to In progress in nix-bitcoin Jul 26, 2019
jonasnick added a commit that referenced this pull request Nov 11, 2019
46edb39 Add content hashes for pinned channels (Erik Arvstedt)
961e821 Rename contrib/ to helper/ (Erik Arvstedt)

Pull request description:

  Unhashed external content is bad for security and performance (due to
  re-fetches when the cache times out).
  Use this simple fix until #78 is fleshed out.

  For testing, run this in the repo root dir:
  ```bash
  nix eval '(import ./pkgs/nixpkgs-pinned.nix)'
  ```

ACKs for top commit:
  jonasnick:
    ACK 46edb39

Tree-SHA512: cb098a4714aecf00e8d0f9fe6d388b6322416c1d2f8d55b54dc16328145331a87a71fbf68e2faa85105727cbd6370542799f1c2d84ac2bee90a6710b96eba9bd
@fiksn
Copy link

fiksn commented Nov 22, 2019

Interesting approach, but I don't seem to exactly understand the threat model. Ok, supply chain attacks in a sense that somebody puts a backdoored bitcoind in nixpkgs. But why should a "commit-chain" that was extended by one of the trusted maintainers be better? A backdoor could be well hidden and the people could work on a completely unrelated features. What I want to say, if there is a backdoor you are screwed one way or the other. There should be a quorum of nix-bitcoin maintainers saying ok this stuff from nixpkgs seems sane.

@nixbitcoin
Copy link
Member Author

Threat model: GitHub slips a malicious update into the tree, attacker gets write access to the git repo and merges backdoored code without review

At least when a trusted maintainer has signed the top commit we know that the state exists locally somewhere with somebody who probably looks at the changes to his nixpkgs very carefully.

I suggest I implement this first and when we have more development resources we set up a quorum to review relevant nixpkgs.

@nixbitcoin
Copy link
Member Author

#162 is the PR to be merged

@nixbitcoin nixbitcoin closed this Jun 17, 2020
nix-bitcoin automation moved this from In progress to Done Jun 17, 2020
@nixbitcoin nixbitcoin deleted the rfc branch March 3, 2021 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
nix-bitcoin
  
Done
Development

Successfully merging this pull request may close these issues.

WoT verify pinned nixpkgs
3 participants