[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
09/66: ccs-2021: Write conclusion.
From: |
Ludovic Courtès |
Subject: |
09/66: ccs-2021: Write conclusion. |
Date: |
Wed, 29 Jun 2022 11:31:58 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit bf219e34e6cd66afd168ea703d40c5817f300c2f
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon May 3 11:38:13 2021 +0200
ccs-2021: Write conclusion.
---
doc/ccs-2021/supply-chain.skb | 61 +++++++++++++++++++++++++++++--------------
1 file changed, 41 insertions(+), 20 deletions(-)
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index b1c2d25..0da1814 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -915,29 +915,50 @@ branch rather than the intended one. The “secure push”
operation and
the associated ,(emph [reference state log]) (RSL) the authors propose
would be an improvement.]))
- (chapter :title [Conclusion and Outlook]
+ (chapter :title [Conclusion]
:ident "conclusion"
- (p [Guix now has a mechanism that allows it to authenticate
-updates. If you’ve run ,(tt [guix pull]) recently, perhaps you’ve noticed
-additional output and a progress bar as new commits are being
-authenticated. Apart from that, the switch has been completely
-transparent. The authentication mechanism is built around the commit
-graph of Git; in fact, it’s a mechanism to ,(emph [authenticate Git checkouts])
-and in that sense it is not tied to Guix and its application domain. It
-is available not only for the main ,(tt [guix]) channel, but also for
-third-party channels.])
-
- (p [To bootstrap trust, we added the notion of ,(it [channel
+ (p [The update authentication mechanism described in this article
+was deployed more than a year ago. Users updating with ,(tt [guix
+pull]) may have noticed a new progress bar while commits are being
+authenticated. Apart from that, the change was transparent and our
+experience so far has been positive. The authentication mechanism is
+built around the Git commit graph; it’s a mechanism to ,(emph
+[authenticate Git checkouts]) and in that sense it is not tied to Guix
+and its application domain. To our knowledge, this is the first
+client-side-only Git update authentication in use.])
+
+ (p [Guix records the commits of channels used to deploy a set of
+packages or even a complete operating system. We took advantage of
+that, together with knowledge of the commit graph of these channels, to
+prevent downgrade attacks—both when running ,(tt [guix pull]) and when
+deploying the operating system.])
+
+ (p [The security of the software supply chain as managed by Guix
+relies on: auditability (every piece of software is built from source),
+verifiability (the functional model and reproducible builds make it easy
+to (re)build binaries and check whether they match the source), and
+secure updates (users updating Guix can only get genuine code vetted by
+the project). We think this is a solid foundation that addresses common
+software supply chain issues at their core.])
+
+ (p [The security of free operating systems of course also depends
+on the security of the upstream software packages being distributed. We
+hope our Git authentication model and/or tool can find its way as part
+of the development workflows upstream. This would address one of the
+weakest points in today’s practices.])
+
+ #;(p [To bootstrap trust, we added the notion of ,(it [channel
introductions]). These are now visible in the user interface, in
-particular in the output of ,(tt [guix describe]) and in the configuration
-file of ,(tt [guix pull]) and ,(tt [guix time-machine]). While channel
-configuration remains a few lines of code that users typically paste,
-this extra bit of configuration might be intimidating. It certainly
-gives an incentive to provide a command-line interface to manage the
-user’s list of channels: ,(tt [guix channel add]), etc.])
-
- (p [The solution here is built around the assumption that Guix is
+particular in the output of ,(tt [guix describe]) and in the
+configuration file of ,(tt [guix pull]) and ,(tt [guix time-machine]).
+While channel configuration remains a few lines of code that users
+typically paste, this extra bit of configuration might be intimidating.
+This gives us an incentive to facilitate the handling of channels and
+channel introductions, be it through a compact representation of these
+of ,(it [via]) improvements to the user interface.])
+
+ #;(p [The solution here is built around the assumption that Guix is
fundamentally a source-based distribution, and is thus completely
orthogonal to the public key infrastructure (PKI) Guix uses for the
signature of substitutes. Yet, the substitute PKI could probably
- 01/66: doc: First stab at a "Secure Supply Chain" paper., (continued)
- 01/66: doc: First stab at a "Secure Supply Chain" paper., Ludovic Courtès, 2022/06/29
- 02/66: ccs-2021: Write "Implementation" section., Ludovic Courtès, 2022/06/29
- 05/66: ccs-2021: Move "Notes on SHA-1" under "Implementation"., Ludovic Courtès, 2022/06/29
- 06/66: ccs-2021: Turn on review mode for good., Ludovic Courtès, 2022/06/29
- 03/66: ccs-2021: Tweak main sections., Ludovic Courtès, 2022/06/29
- 12/66: ccs-2021: Add abstract and tweak intro., Ludovic Courtès, 2022/06/29
- 07/66: ccs-2021: Discuss in-toto in "Related Work"., Ludovic Courtès, 2022/06/29
- 11/66: ccs-2021: Complete introductions., Ludovic Courtès, 2022/06/29
- 25/66: icse-2022: Final (?) tweaks., Ludovic Courtès, 2022/06/29
- 04/66: ccs-2021: Tweak "related work", add proper references., Ludovic Courtès, 2022/06/29
- 09/66: ccs-2021: Write conclusion.,
Ludovic Courtès <=
- 21/66: icse-2022: Link to "Git Cryptography Protocol"., Ludovic Courtès, 2022/06/29
- 29/66: programming-2022: Adjust to <Programming> style., Ludovic Courtès, 2022/06/29
- 31/66: programming-2022: Expand "Related Work"., Ludovic Courtès, 2022/06/29
- 32/66: programming-2022: Use a monospace font for code snippets., Ludovic Courtès, 2022/06/29
- 08/66: ccs-2021: Capitalize section titles., Ludovic Courtès, 2022/06/29
- 10/66: ccs-2021: Improve "Rationale" section., Ludovic Courtès, 2022/06/29
- 13/66: ccs-2021: Proof-read and tweak., Ludovic Courtès, 2022/06/29
- 15/66: ccs-2021: Typos, hyphenation, and other improvements., Ludovic Courtès, 2022/06/29
- 14/66: ccs-2021: Update ACM categories., Ludovic Courtès, 2022/06/29
- 16/66: ccs-2021: Tweak "Related Work"., Ludovic Courtès, 2022/06/29