On Mon, Jan 02, 2017 at 11:28:55PM +0100, Ludovic Courtès wrote: > Hi! > > [email protected] skribis: > > > P.S. On second thought (and after a cup of coffee), could the database file > > be > > generated using the same format programs like md5sum, sha1sum, et al use so > > we'd > > just have to run (for example) md5sum -C database? > > That sounds like a good idea to complement ‘guix publish’ + ‘guix > challenge’. > > A simple way to dump the database is like this: > > --8<---------------cut here---------------start------------->8--- > $ sudo sqlite3 /var/guix/db/db.sqlite > SQLite version 3.14.1 2016-08-11 18:53:32 > Enter ".help" for usage hints. > sqlite> select path,hash from validpaths; > /gnu/store/98xcn26354r70nyamkgywqzjxvw3qikx-guile-2.0.9.tar.xz|sha256:a475e4bad3d39a94f01c590f239e80dbd84688e480ca74de3e335f6f36a0d975 > /gnu/store/hyh7kwkqlxc0x9s8cs5mjnih5v524486-make-impure-dirs.patch|sha256:d697a02be5fea425ac93eb650b1359e3e8053d84f70677c8c0a80291ed03585e > /gnu/store/hv15hq91vm3ajv23lkq0kgd56d4kmd08-findutils-absolute-paths.patch|sha256:c4fc83e01a7f448b598905bcf6ca39b5ba0f1f0f131145b379f0de9c2fbe109b > […] > --8<---------------cut here---------------end--------------->8--- > > (Of course you have to trust the database to contain the right hashes in > the first place.) > > Ludo’.
That is part of the reason I also suggest an external utility, and ideally one that is simple enough that people could (re)implement it in their language of choice (so that what and where the script is is generally unknown/unknowable/really hard to find, as well as much more difficult to compromise via simple methods such as patching). Heck, since your normal user can read the store, one should be able to reasonably compare the currently stored database to something the user has generated via # Please note that I'm not 100% sure this is correct. I don't think you'd want # to include .link files, but I'm unable to find a quick way in the minute or # two I wrote this to avoid them. Plus I'd expect some things to be checksumed # that don't really need it. $ find /gnu/store/ -type f -print0 | xargs -0 sha256sum or something similar, given that sha256sum isn't compromised. Once the two are known to be in sync (ideally with some form of external verification, and by external I mean booting and mounting the system under a Known Good liveUSB or similar and checking the database against the system's sha256sum as well as the liveUSB's Known Good version), then comparing to another person's checksum dump (ideally someone you know properly checks their system via the aforementioned or better method) to try and catch potential unwanted modification. The obvious problem would be removing entries for programs known to not have a deterministic build (which makes all of this entirely moot for said program), and hope they aren't compromised and aren't Very Important to the system.
