[Nix-dev] [yui at cock.li: Re: Malicious installation methods]

zimbatm zimbatm at zimbatm.com
Fri Jun 17 17:01:00 CEST 2016


On Fri, 17 Jun 2016 at 14:56 Yui Hirasawa <yui at cock.li> wrote:

> > One improvement would be to sign the actual script with an offline key
> > but while that would be safer the current method is perfectly fine.
>
> The current method isn't fine at all.
>
> Here is a quote from the #nix channel:
>
> > kmicu: Tsutsukakushi: I told ya so… security is not a priority here.
> > Fell free to try to improve security in Nix world, but you are better
> > off with Guix. They even don’t trust compilers w/o bootstrapping from
> > the source option :)
>

Let's compare it with Guix then:

Go to https://www.gnu.org/software/guix/download/

First of all, it's not clear how to install Guix. You can download the
archive and poke inside or got to the installation instructions:
https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html

There you are instructed to fetch both the archive *and* the signature from
the same origin, over FTP. And then use gpg to check the archive against
the signature.
Assuming a MITM it's already game over here, the MITM doesn't even have to
control one of the CAs.

There is also an alternative verification method: `gpg --keyserver
keys.gnupg.net --recv-keys 3D9AEBB5`. Assuming a MITM, keys.gnupg.net is
accessed in clear. And generating a GPG key with the same key ID is
trivial. So game over again.

At that point there are still two pages of instructions to follow to get
guix installed, with no additional security benefits.

==

I don't mean to say that GPG is a bad idea. It just that using SSL is a
better idea unless we nail the GPG bit. Not everyone is getting
state-sponsored attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/a864b5c5/attachment-0001.html>


More information about the nix-dev mailing list