guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Public guix offload server

From: Tobias Geerinckx-Rice
Subject: Re: Public guix offload server
Date: Fri, 22 Oct 2021 00:16:17 +0200 
All,

zimoun 写道:

Do you mean that trusted users would try WM-escape exploits?
The world has been formed by warewolves inside communities purposely 
causing harm. Looking further back, Oliver the Spy is a classic
examplar of trust networks being hollowed out.


So…
I cannot assume that on one hand one trusted person pushes to the main Git repo in good faith and on other hand this very same trusted person 
behaves as a warewolves using a shared resource.
…li'l' sleepy here, bewarned, but before this gets out of hand: I never implied direct abuse of trust by committers. I don't consider it the main threat[0].
There are the people you meet at FOSDEM and the users who log into machines. Both can be compromised, but the latter are much easier and more likely to be.
Such compromise is not laughable or hypothetical: it happens *constantly*. It's how kernel.org was utterly owned[1].
Trusting people not to be evil is not the same as having to trust the opsec habits of every single one of them. Trust isn't transitive. Personally, I don't think a rogue zimoun will suddenly decide to abuse us. I think rogues will abuse zimoun the very first chance they get.
That's not a matter of degree: it's a whole different threat model, as is injecting arbitrary binaries vs. pushing malicious code commits. Both are bad news, but there's an order of magnitude difference between the two.
For sure, one can always abuse the trust. Based on this principle, we could stop any collaborative work right now. The real question is the evaluation of the risk of such abuse by trusted people after long period 
of collaboration (that’s what committer usually means).
Isn't that the kind of hands-up-in-the-air why-bother nothing's-perfect fatalism I thought your Python quote (thanks!) was trying to warn me about? ;-) 

Zzz,

T G-R
[0]: That's probably no more than an optimistic human flaw on my part and ‘disgruntled ex-whatevers’ are probably more of a threat that most orgs dare to admit.
[1]: I know, ancient history, but I'm working from memory here. I'm sure it would be trivial to find a more topical example.

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]