civodul pushed a commit to branch master
in repository maintenance.
commit 807601bde27ac01be68595f20f764baac20f94c2
Author: Ludovic Courtès <[email protected]>
AuthorDate: Thu May 6 11:41:50 2021 +0200
ccs-2021: Tweak "Related Work".
Part of the changes were indirectly suggested by Maxime Devos in
<https://issues.guix.gnu.org/48146>.
---
doc/ccs-2021/supply-chain.skb | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index 685a725..bb4fad4 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -935,24 +935,26 @@ similar work that we are aware of in these two areas.])
(p [The Update Framework ,(ref :bib 'samuel2010:survivable) (TUF)
is a reference for secure update systems, with a well-structured
specification ,(ref :bib 'cappos2020:tuf-spec) and a number of
-implementations. Many of its goals are shared by Guix. Not all the
-attacks it aims to protect against (Section 1.5.2 of the spec) are
-addressed by what’s presented in this post: ,(it [indefinite freeze
-attacks]), where updates never become available, are not addressed
-,(emph [per se]) (though easily observable), and ,(emph [slow retrieval
-attacks]) are not addressed either. The notion of ,(emph [role]) is
-also something currently missing from the Guix authentication model,
-where any authorized committer can touch any files, though the model and
-,(tt [.guix-authorizations]) format leave room for such an extension.])
+implementations. Many of its goals are shared by Guix. Among the
+attacks TUF aims to protect against (Section 1.5.2 of the spec), the
+downgrade-prevention mechanism described in ,(numref :text [Section]
+:ident "downgrade") does not, ,(it [per se]), address ,(it [indefinite
+freeze attacks]) (more on that below).])
(p [However, both in its goals and system descriptions, TUF is
biased towards systems that distribute binaries as plain files with
-associated meta-data. That creates a fundamental impedance mismatch
-with the functional deployment model we described in ,(numref :text
-[Section] :ident "background"). As an example, attacks such as ,(emph
+associated metadata. That creates a fundamental impedance mismatch with
+the functional deployment model we described in ,(numref :text [Section]
+:ident "background"). As an example, attacks such as ,(emph
[fast-forward attacks]) or ,(emph [mix-and-match attacks]) do not apply
in the context of Guix; likewise, the ,(emph [repository]) depicted in
-Section 3 of the spec has little in common with a Git repository.])
+Section 3 of the spec has little in common with a Git repository. The
+spec also defines a notion of ,(emph [role]), but those roles do not
+match our distribution model. With the authentication model described
+in ,(numref :text [Section] :ident "authenticating"), any authorized
+committer can touch any file; the model and the ,(tt
+[.guix-authorizations]) format leave room for per-file authorizations,
+which could be a way to define fine-grain roles in this context.])
(p [Developers of OPAM, the package manager for the OCaml
language, adapted TUF for use with their Git-based package repository,
@@ -990,9 +992,11 @@ users to pull an older commit or an unrelated commit. As
written above,
would fail to detect cases where metadata modification does not yield a
rollback or teleport, yet gives users a different view than the intended
one—for instance, a user is directed to an authentic but different
-branch rather than the intended one. The “secure push” operation and
-the associated ,(emph [reference state log]) (RSL) the authors propose
-would be an improvement.]))
+branch rather than the intended one. This potentially allows for ,(it
+[indefinite freeze attacks]), though these would likely be quickly
+detected. The “secure push” operation and the associated ,(emph
+[reference state log]) (RSL) the authors propose would be an
+improvement.]))
(chapter :title [Conclusion]
:ident "conclusion"
