Closed ben-grande closed 8 months ago
Thanks for your review.
apt update
call, can we rewind the time and point to older snapshots? (I first tried to use https but was unable to install the ca-certificates package without running apt update
first)Maybe @kit-ty-kate has a better insight vision about 2,3 and 4 ?
Some notes: (0) I don't quite understand the implications, indeed fetching everything over https would be nice. But what would improve if we enforce everyone to use tor for fetching tarballs? (1) Indeed this should be improved to also download the signature, and the OpenPGP key, and verify the signature (2) opam may go out and install some system packages that are required by some opam package. This is crucial for non-interactive opam usage. I agree the description in the opam man page is not very helpful. I opened https://github.com/ocaml/opam/issues/5719 so that the opam developers will track it and improve it. (3) For some reason (that I do not remember), opam in unprivileged containers need to have sandboxing disabled. Now, the question is: can we fix it? Should we instead run the container as superuser and enable sandboxing? To me, this is a choice between the devil and the deep blue sea. (4) The short answer is yes: the metadata (URL + checksum) is specified in the opam-repository(/ies) -- which is verified by its sha (via git, pinned to a specific commit in this project here), and the tarballs are downloaded then and their checksum is validated.
The longer answer is that I had several iterations over its design, and am still working on supply chain security for opam. Briefly, based on TUF; practically not there yet.
I'm also not very fan of using tor as transport layer, we already had issues when downloading opam packages with whonix in Qubes (#86).
For checking opam binary, for simplicity, I'll probably compare against one hashsum available at https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh (e.g hardcode hashum in Docker "38802b3079eeceb27aab3465bfd0f9f05a710dccf9487eb35fa2c02fbaf9a0659e1447aa19dd36df9cd01f760229de28c523c08c1c86a3aa3f5e25dbe7b551dd" for the current one, it's just one more hash :) ).
(0) I don't quite understand the implications, indeed fetching everything over https would be nice. But what would improve if we enforce everyone to use tor for fetching tarballs?
With tor it would be slower but would solve the problem of having to use https.
(3) For some reason (that I do not remember), opam in unprivileged containers need to have sandboxing disabled. Now, the question is: can we fix it? Should we instead run the container as superuser and enable sandboxing? To me, this is a choice between the devil and the deep blue sea.
Now I understand the problem better, thank you. I'd rather have the unikernel be built with an unprivileged container.
(4) The short answer is yes: the metadata (URL + checksum) is specified in the opam-repository(/ies) -- which is verified by its sha (via git, pinned to a specific commit in this project here), and the tarballs are downloaded then and their checksum is validated.
The longer answer is that I had several iterations over its design, and am still working on supply chain security for opam. Briefly, based on TUF; practically not there yet.
Great to know it is being worked on and is being based on TUF model.
For checking opam binary, for simplicity, I'll probably compare against one hashsum available at https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh (e.g hardcode hashum in Docker "38802b3079eeceb27aab3465bfd0f9f05a710dccf9487eb35fa2c02fbaf9a0659e1447aa19dd36df9cd01f760229de28c523c08c1c86a3aa3f5e25dbe7b551dd" for the current one, it's just one more hash :) ).
Great, it would make the Opam download the same level as the rest.
From what I’m reading everything was answered, maybe only (3) needs some context:
Running the bubblewrap sandbox inside of Docker is currently not possible without using docker run --privileged
(option sadly not available for docker build
). The upstream issue can be seen at https://github.com/containers/bubblewrap/issues/284. Running docker using root doesn’t change anything from what I know. The only two options that I know of would be to either use docker run --privileged
or opam init --disable-sandboxing
EDIT: oops i hit enter too fast..
Thanks everyone, closed with #190
Problem
Currently, Mirage Firewall is aiming to reproducible builds. But can it also improve the build security?
I read the git blames but they didn't inform the implications of these lines, just why they were need, for reproducibility.
Can apt-transport-https be installed before setting the debian snapshot so debian packages will be fetched over https for defense in depth against a failure of dpkg signature verification, which happens from time to time. I am proposing an
apt upgrade
andapt install -y --no-install-recommends apt-transport-tor
and change the repo definition of the snapshot to usehttps
. Will this break reproducibility because this package will not be pinned to a specific debian snapshot?download of Opam without signature verification, although the release packages have a companion
.sig
signature file. Would need to save the Opam release public key to this repo and place it in the docker container.Why is OPAMCONFIRMLEVEL=unsafe-yes require? What insecurities can it bring? I know this is Opam specific and not qubes-mirage-firewall, but I didn't understand the implications from reading the manpage.
Why is --disable-sandboxing needed? Is this to downgrade the opam version to be pinnned?
Is Opam fetching through https 0 1 solely? This is also Opam specific, Opam does not do package signature verification? If it does not do, this is an upstream problem and serves only as an information for me as it can't be fixed here. I have not found information that Opam does software verifications besides the CA certificates.
Summary
Analysis:
Request
I think it is important to document why those methods were used, via code comment or reflog.
Update