start refusing to pull packages from unauthenticated upstreams

[glyph]

A number of recipes retrieve code using either http:// or git:// transports; these should not be allowed.

My understanding is that typing make in the melpa repository is what does the actual building of packages, so it would be melpa doing the package signing when #1749 is implemented. If my understanding is correct, I think it would be irresponsible to codesign a package that was just some code automatically scraped off of a wiki.

[alphapapa]

Where do signed git tags/commits figure into this? They're very easy to use.

Of course, if the GPG key is not fetched securely, and/or if it's not signed by a known trustworthy key, it's not technically authenticated (cf. Debian's key-signing parties). But it would still be nice to have support for it. And if MELPA stored the already-fetched GPG keys on its server, it could detect if a signing key changed, and it could refuse to build signed packages if they were signed by a different key, or unsigned packages if their previous releases were signed.

This would be a nice step in the right direction. HTTPS/TLS is nice, but it's not a panacea, and it doesn't protect against something like GitHub being compromised.

[glyph]

Where do signed git tags/commits figure into this?

Git signatures rely on sha1, which has been more or less completely compromised by Google this year, so they don't provide a strong guarantee of authenticity either. Probably not worth bothering with. (There's also the fact that commit-signing is not itself more meaningful than "this came from this repository" unless the signer verifies the contents of every file, since the parent commit was not itself signed.)

They're very easy to use.

Disagree. GPG's web of trust is so confusing that, as far as I know, there are no crypto experts who believe they can use it without serious preparation. Unfortunately, the mode that makes the most sense for using GPG is when one is verifying a signature that can only have come from one key (like debian / apt signatures).

[glyph]

... it doesn't protect against something like GitHub being compromised ...

Provider-independent security is always a good goal, but let's not try to build rocketships before we can even crawl. This ticket is about beginning to refuse to pull from package sources that are entirely unauthenticated, and it's been open for almost 2 years. Let's please have MELPA do that before getting off into the crypto-utopian weeds with peer-to-peer signatures.

[alphapapa]

Git signatures rely on sha1, which has been more or less completely compromised by Google this year, so they don't provide a strong guarantee of authenticity either. Probably not worth bothering with.

I'm not sure I understand what you mean.

1. Git commits are referenced by SHA1 hashes, but signed git tags are PGP signatures, which have not been compromised.
2. IIUC, the Google PoC is neat, but doesn't mean that SHA1 has been universally compromised. It took about a year of real-time on one of their huge clusters and allowed them to produce a collision in a PDF. It points to SHA1 being broken someday, but it's not universally so now. IIUC, even MD5 isn't broken in that way, as there is no feasible preimage attack. (I am far from a crypto expert, but I just googled around a bit to refresh my memory. Please correct me if I'm wrong.)
3. AFAIK the git project is working on upgrading to at least SHA256. When that is completed, the hashes signed by PGP in signed tags will be even more resistant.

So, signed git tags are useful for authenticity now and should remain so in the future.

(There's also the fact that commit-signing is not itself more meaningful than "this came from this repository" unless the signer verifies the contents of every file, since the parent commit was not itself signed.)

Not sure what you mean here either. Git inherently provides resistance to change detection, as an author who tried to push a commit to a sabotaged repo would get a push failure since his commit would not be a child of the altered commit. When a committer signs a tag, it effectively signs both that commit and the whole chain of parent commits.

We assume that an author would not hard-reset his own repo to a sabotaged remote ref, then sign and push his own commit on top of that, just as we assume that an author will not give out his SSH key passphrase, etc. The threats being protected against are MITM attacks and attacks on the author's git repos, e.g. on GitHub's file servers.

Disagree. GPG's web of trust is so confusing that, as far as I know, there are no crypto experts who believe they can use it without serious preparation. Unfortunately, the mode that makes the most sense for using GPG is when one is verifying a signature that can only have come from one key (like debian / apt signatures).

What I mean is that they are easy to use for the signer: just run git tag -s, type in your passphrase, and push.

Provider-independent security is always a good goal, but let's not try to build rocketships before we can even crawl. This ticket is about beginning to refuse to pull from package sources that are entirely unauthenticated, and it's been open for almost 2 years. Let's please have MELPA do that before getting off into the crypto-utopian weeds with peer-to-peer signatures.

For MELPA, it should be as simple as adding each author's PGP key to the MELPA keyring when their first recipe is accepted, then automatically verifying the signature on each recipe's git tags. That's very straightforward, and it provides provider-independent security.

[aplaice]

1. Git commits are referenced by SHA1 hashes, but signed git tags are PGP signatures, which have not been compromised.

If I understand git's signing of tags (and commits) correctly, the problem is that when signing a tag, what you're signing is the SHA1 hash of the given commit, with some metadata (dates, name of tagger, message), not the underlying source code. Hence, if an attacker manages to produce a commit with the same SHA1 hash as a commit by the original author, then a signed tag won't protect you.

(Signed tags will protect you, assuming that SHA1 is not completely broken, from a MITM attack or a rogue party having write access to the repository.)

Disclaimer: IANAC

[alphapapa]

what you're signing is the SHA1 hash of the given commit, with some metadata (dates, name of tagger, message), not the underlying source code.

A commit hash is a hash of the entire tree at that commit, which includes hashes of all the files. That's how git knows if a file is changed. That's the whole point. A signed tag testifies that the commit hash was signed by the author's PGP key.

Hence, if an attacker manages to produce a commit with the same SHA1 hash as a commit by the original author, then a signed tag won't protect you.

As I said, there is no SHA1 preimage attack; there's not even an MD5 preimage attack yet. Google's SHA1 attack took like 100 years of GPU time and produced a collision in a specially crafted PDF. SHA1 is not broken in this way and it's a long ways from being so.

Signed git tags would go a long way toward protecting MELPA, at least for the packages whose authors are willing to use them.

[aplaice]

A commit hash is a hash of the entire tree at that commit, which includes hashes of all the files. That's how git knows if a file is changed. That's the whole point. A signed tag testifies that the commit hash was signed by the author's PGP key.

I'm derailing the discussion, but the point is that the commit object (whose hash is the commit hash) contains the hash of the tree object and the parent commit (plus metadata). The tree object, in turn contains, as you wrote, the hashes of all the files, plus their sizes. As a result, if hypothetically someone manages to produce a file which has the same SHA1 hash, and the same size, as a file in the original repository (or ideally in the latest commit that hasn't yet been fetched by MELPA), then the "tree hash" and consequently the commit hash will be the same, so the signature will still be valid.

Obviously there's a huge jump between producing a set of pairs of PDFs that collide, in a year, to a preimage attack (actually more, since we need the sizes to match) within the four hours between successive MELPA rebuilds, but the original assertion, that I was defending, that "Git signatures [...] don't provide a strong guarantee of authenticity either" is more-or-less true.

(Again, this is not to say that git signatures wouldn't be nice to have, anyway, in an ideal world.)

In any case, the topic of implementing a web of trust, using author-signed commits etc. should probably be in a separate issue.

[alphapapa]

but the original assertion, that I was defending, that "Git signatures [...] don't provide a strong guarantee of authenticity either" is more-or-less true.

This is the crux of the issue. And, no--with respect--I think you are completely wrong. They currently do provide a strong guarantee of authenticity. In order to break that guarantee, either PGP or SHA1 would have to be broken. Neither of them are broken, nor are either of them close to being broken.

Remember, it's effectively the same system Debian has used for years: hash packages with MD5/SHA1 (and now SHA256 as well) and PGP-sign the hashes. It's very secure--practically as secure as you can get. If it's good enough for Debian, it's good enough for MELPA. ;)

[aplaice]

On the topic of https, I think that these are the packages that are fetched unauthenticated (40 in total):

Package	fetcher	URL
color-theme	bzr	http://bzr.savannah.gnu.org/r/color-theme/trunk
sml-modeline	bzr	lp:~nxhtml/nxhtml/main
debian-changelog-mode	cvs	:pserver:anonymous@cvs.alioth.debian.org:/cvs/pkg-goodies-el
debian-bug	cvs	:pserver:anonymous@cvs.alioth.debian.org:/cvs/pkg-goodies-el
w3m	cvs	:pserver:anonymous@cvs.namazu.org:/storage/cvsroot
shimbun	cvs	:pserver:anonymous@cvs.namazu.org:/storage/cvsroot
tex-smart-umlauts	darcs	http://hub.darcs.net/lyro/tex-smart-umlauts
darcsum	darcs	http://hub.darcs.net/simon/darcsum
zeitgeist	git	git://anongit.freedesktop.org/zeitgeist/zeitgeist-datasources
fuel	git	git://factorcode.org/git/factor.git
jabber	git	git://git.code.sf.net/p/emacs-jabber/git
jtags	git	git://git.code.sf.net/p/jtags/code
log4j-mode	git	git://git.code.sf.net/p/log4j-mode/code
matlab-mode	git	git://git.code.sf.net/p/matlab-emacs/src
speechd-el	git	git://git.freebsoft.org/git/speechd-el
notmuch	git	git://git.notmuchmail.org/git/notmuch
howm	git	git://git.osdn.jp/gitroot/howm/howm.git
po-mode	git	git://git.savannah.gnu.org/gettext.git
bbdb	git	git://git.savannah.nongnu.org/bbdb.git
stumpwm-mode	git	git://git.savannah.nongnu.org/stumpwm.git
emms	git	git://git.sv.gnu.org/emms.git
eide	git	git://git.tuxfamily.org/gitroot/eide/emacs-ide.git
deft	git	git://jblevins.org/git/deft.git
org-mac-link	git	git://orgmode.org/org-mode.git
org-mac-iCal	git	git://orgmode.org/org-mode.git
stgit	git	git://repo.or.cz/stgit.git
password-store	git	http://git.zx2c4.com/password-store
llvm-mode	git	http://llvm.org/git/llvm
paredit	git	http://mumble.net/~campbell/git/paredit.git
anything	git	http://repo.or.cz/r/anything-config.git
org-fstree	git	http://repo.or.cz/r/org-fstree.git
undo-tree	git	http://www.dr-qubit.org/git/undo-tree.git
redshank	git	http://www.foldr.org/~michaelw/projects/redshank.git
cg	svn	http://beta.visl.sdu.dk/svn/visl/tools/vislcg3/trunk/emacs
caml	svn	http://caml.inria.fr/svn/ocaml/trunk/emacs/
clang-format	svn	http://llvm.org/svn/llvm-project/cfe/trunk/tools/clang-format
dsvn	svn	http://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/emacs/
dic-lookup-w3m	svn	http://svn.osdn.jp/svnroot/dic-lookup-w3m/
ruby-electric	svn	http://svn.ruby-lang.org/repos/ruby/trunk/misc/
ruby-additional	svn	http://svn.ruby-lang.org/repos/ruby/trunk/misc/

The two most popular (I think) are undo-tree and notmuch. Neither allows cloning via https (in the case of notmuch it's weird, as they have a valid certificate for the domain, but they just don't seem to support https as a protocol for git), but both do have tags that are signed. Perhaps, verifying the signature of tags could potentially be used as a supplement for requiring https (i.e. either require https or tags signed by authors).

[alphapapa]

@aplaice Thanks for putting that info together!

[aplaice]

It seems that, actually, quite a few of these repositories do now support https, even if they didn't when the recipes were written. 13 need just a change of protocol and 4 also needed a slight adjustment of the URL (in the case of savannah — e.g. git://git.savannah.gnu.org/gettext.git -> https://git.savannah.gnu.org/git/gettext.git ). Full table of changes needed, below:

Package	fetcher	Original URL	New URL
po-mode	git	git://git.savannah.gnu.org/gettext.git	https://git.savannah.gnu.org/git/gettext.git
bbdb	git	git://git.savannah.nongnu.org/bbdb.git	https://git.savannah.nongnu.org/git/bbdb.git
stumpwm-mode	git	git://git.savannah.nongnu.org/stumpwm.git	https://git.savannah.nongnu.org/git/stumpwm.git
emms	git	git://git.sv.gnu.org/emms.git	https://git.savannah.gnu.org/git/emms.git
color-theme	bzr	http://bzr.savannah.gnu.org/r/color-theme/trunk	https://bzr.savannah.gnu.org/r/color-theme/trunk
jabber	git	git://git.code.sf.net/p/emacs-jabber/git	https://git.code.sf.net/p/emacs-jabber/git
jtags	git	git://git.code.sf.net/p/jtags/code	https://git.code.sf.net/p/jtags/code
log4j-mode	git	git://git.code.sf.net/p/log4j-mode/code	https://git.code.sf.net/p/log4j-mode/code
matlab-mode	git	git://git.code.sf.net/p/matlab-emacs/src	https://git.code.sf.net/p/matlab-emacs/src
password-store	git	http://git.zx2c4.com/password-store	https://git.zx2c4.com/password-store
paredit	git	http://mumble.net/~campbell/git/paredit.git	https://mumble.net/~campbell/git/paredit.git
cg	svn	http://beta.visl.sdu.dk/svn/visl/tools/vislcg3/trunk/emacs	https://beta.visl.sdu.dk/svn/visl/tools/vislcg3/trunk/emacs
caml	svn	http://caml.inria.fr/svn/ocaml/trunk/emacs/	https://caml.inria.fr/svn/ocaml/trunk/emacs/
dsvn	svn	http://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/emacs/	https://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/emacs/
dic-lookup-w3m	svn	http://svn.osdn.jp/svnroot/dic-lookup-w3m/	https://svn.osdn.jp/svnroot/dic-lookup-w3m/
ruby-electric	svn	http://svn.ruby-lang.org/repos/ruby/trunk/misc/	https://svn.ruby-lang.org/repos/ruby/trunk/misc/
ruby-additional	svn	http://svn.ruby-lang.org/repos/ruby/trunk/misc/	https://svn.ruby-lang.org/repos/ruby/trunk/misc/

Testing on Ubuntu 16.04, all of these can be cloned (or branched/checked out) with the relevant commands.

For the remaining repositories, the fact that I was unable to find a way to fetch in an authenticated way does not mean that it's not possible. In the case of sml-modeline I'm not sure whether the custom lp: (launchpad) protocol is authenticated (according to the docs it's equivalent to using bzr+ssh:// which I think, by analogy with git, is not authenticated unless you already have the relevant ssh key). It is possible to replace the lp: url with one using https ( lp:~nxhtml/nxhtml/main -> https://code.launchpad.net/~nxhtml/nxhtml/main).

To the MELPA maintainers: I have not tested whether the packages would actually build, though I have no reason to believe they would not. Should I patch the recipes and send a pull request?

[purcell]

To the MELPA maintainers: I have not tested whether the packages would actually build, though I have no reason to believe they would not. Should I patch the recipes and send a pull request?

@aplaice Yes please! Thanks for digging into this. Let's keep the lp: URLs as-is for now.

[aplaice]

@purcell I've sent a pull request. I could break this up into several pieces, for ease of reversion, if need be, but the packages seem to build and install cleanly, locally.

[alphapapa]

Sorry for the noise, just realized that I need to update emacs-w3m for Emacs 25 (the version packaged in Ubuntu Trusty isn't working with it, and eww is nice but doesn't handle some pages well in comparison), and so I just realized that this package is pulled over unauthenticated CVS. I'm not sure how significant this package is to some, but to me it's very significant as it seems to be the best browser for Emacs. It currently has over 44,000 downloads from MELPA.

I see some mirrors of the CVS repo on GitHub, but, assuming they pull automatically from CVS, using them for MELPA wouldn't increase security.

Ideally we could convince the author of w3m to switch to Git, but I'm assuming that he's still using CVS for a reason... :/

[joewreschnig]

Some more domains have got HTTPS, and some others have official GitHub mirrors:

Package	fetcher	New URL
clang-format	svn	https://llvm.org/svn/llvm-project/cfe/trunk/tools/clang-format
darcsum	darcs	https://hub.darcs.net/simon/darcsum
deft	github	jrblevin/deft
fuel	github	factor/factor
llvm-mode	git	https://llvm.org/git/llvm
sml-modeline	bzr	https://code.launchpad.net/~nxhtml/nxhtml/main
tex-smart-umlauts	darcs	https://hub.darcs.net/lyro/tex-smart-umlauts
zeitgeist	git	https://anongit.freedesktop.org/git/zeitgeist/zeitgeist-datasources.git

EIDE has got an HTTPS repository but it's very slow to clone (I gave up after 3MB and ten minutes, vs. a few seconds for raw Git) so they probably don't really intend to serve over it:

Package	fetcher	New URL
eide	git	https://git.tuxfamily.org/eide/emacs-ide.git/

What's left (hoping I caught them all):

Package	fetcher	URL
anything	git	http://repo.or.cz/r/anything-config.git
debian-bug	cvs	:pserver:anonymous@cvs.alioth.debian.org:/cvs/pkg-goodies-el
debian-changelog-mode	cvs	:pserver:anonymous@cvs.alioth.debian.org:/cvs/pkg-goodies-el
howm	git	git://git.osdn.jp/gitroot/howm/howm.git
notmuch	git	git://git.notmuchmail.org/git/notmuch
org-fstree	git	http://repo.or.cz/r/org-fstree.git
org-mac-iCal	git	git://orgmode.org/org-mode.git
org-mac-link	git	git://orgmode.org/org-mode.git
redshank	git	http://www.foldr.org/~michaelw/projects/redshank.git
shimbun	cvs	:pserver:anonymous@cvs.namazu.org:/storage/cvsroot
speechd-el	git	git://git.freebsoft.org/git/speechd-el
stgit	git	git://repo.or.cz/stgit.git
undo-tree	git	http://www.dr-qubit.org/git/undo-tree.git
w3m	cvs	:pserver:anonymous@cvs.namazu.org:/storage/cvsroot

Many of these sites have HTTPS certificates, but not served correctly or expired. orgmode.org uses a self-signed cert. :(

[aplaice]

Thanks for keeping up with this!

freedesktop.org apparently also uses https with the URL https://anongit.freedesktop.org/git/zeitgeist/zeitgeist-datasources.git/ (a diff proves that it's the same git repository), if you want to add it to the pull request (it would probably be convenient for these changes to be committed together, though I could also open a new one).

Edit: Also, deft is now on github: https://github.com/jrblevin/deft (the homepage of the package explicitly refers to this: http://jblevins.org/projects/deft/ ). In the case of fuel, the github mirror is not considered "official", but it is referred to from their site.

[joewreschnig]

The deft alternative looks good. Not sure about fuel - if it's not official that means it's mirrored from the official one somehow. We can be sure we're pulling from GitHub, but have no assurance GitHub pulled from the right site. (That the GH mirror has a non-functioning HTTPS link in its header is also troubling.) I opened an issue to ask about this.

[joewreschnig]

repo.or.cz uses an intentionally bizarre (non-CA root signing something that lasts 10,000 years) SSL certificate, which is also part of their authorization system, so could be very painful for them to change.

If it's absolutely necessary to support these repositories, one option would be to add the ability to pin a root or server cert to the recipe directly. But IMO their security architecture is reckless and should be discouraged.

[joewreschnig]

I've updated #4913 and the table with deft, fuel, and zeitgeist.

[joewreschnig]

And now also updated with with sml-modeline. I dug through the bzr source and yes, bzr's lp: protocol is HTTP for anonymous clones, but HTTPS works.

Even with the explicit URL, bzr seems to fail open validating certificates by default when it can't find roots; hopefully most uses are on an OS where it can find the roots...

[joewreschnig]

I dropped a comment into an existing request to migrate emacs-goodies-el from CVS to Git.

[joewreschnig]

After some more recipe removals:

Package	fetcher	URL
anything	git	http://repo.or.cz/r/anything-config.git
eide	git	git://git.tuxfamily.org/gitroot/eide/emacs-ide.git
howm	git	git://git.osdn.jp/gitroot/howm/howm.git
notmuch	git	git://git.notmuchmail.org/git/notmuch
org-fstree	git	http://repo.or.cz/r/org-fstree.git
redshank	git	http://www.foldr.org/~michaelw/projects/redshank.git
shimbun	???	Mirrored in emacsorphanage, but over CVS
speechd-el	git	git://git.freebsoft.org/git/speechd-el
undo-tree	git	http://www.dr-qubit.org/git/undo-tree.git
w3m	???	Mirrored in emacsorphanage, but over CVS

w3m is effectively the only package left using CVS (shimbun is in the same repo). This is a very popular package, but CVS is a very bad security hole. I have not emailed Katsumi Yamaoka because I've seen other people say they already have, but maybe it's time to try again?

[purcell]

The Redshank author appears to be @michaelw here - Michael, would you consider moving your old redshank repo to github, so that we can fetch it via a more secure method than the plain git protocol? (P.S. I sent you a patch by email yesterday.)

[joewreschnig]

I've sent an email to the maintainer of undo-tree. It's also in ELPA, but the ELPA version is a bit behind the MELPA one.

[joewreschnig]

w3m and shimbun are now pulled via git, but unless someone is manually auditing the changes when mirroring, the security problem isn't solved.

[joewreschnig]

stgit was removed in the license purge, but it's also available at https://github.com/ctmarinas/stgit if that gets resolved.

[milkypostman]

The difference between the wiki and git is quite different.

…

-direct access to git repo is very limited -there is an audit trail

On Sat, Sep 30, 2017 at 2:50 PM Joe Wreschnig ***@***.***> wrote: stgit was removed in the license purge, but it's also available at https://github.com/ctmarinas/stgit if that gets resolved. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3004 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AACUssxOPJFCFXK1TupVH9NWCXt3DbOhks5snptzgaJpZM4FoSsj> .

[joewreschnig]

The current anything maintainer seems to be @rubikitch - would you consider moving it from repo.or.cz to GitHub? Or is it no longer relevant with Helm?

[joewreschnig]

Howm is now anonymously clonable at https://scm.osdn.net/gitroot/howm/howm.git (and also every other OSDN project - https://osdn.net/ticket/browse.php?group_id=10743&tid=37552 - thank you ISHIKAWA Mutsumi and Tatsuki Sugiura!)

Unfortunately I cannot prepare a PR right now as my development computer is broken.