From: Simon Tournier <zimon.toutoune@gmail.com>
To: "Ludovic Courtès" <ludovic.courtes@inria.fr>
Cc: 60782@debbugs.gnu.org
Subject: bug#60782: Channels and dependency confusion
Date: Mon, 16 Jan 2023 12:18:58 +0100 [thread overview]
Message-ID: <874jsqvial.fsf@gmail.com> (raw)
In-Reply-To: <87cz7e7t2m.fsf@inria.fr>
Hi,
On lun., 16 janv. 2023 at 10:00, Ludovic Courtès <ludovic.courtes@inria.fr> wrote:
>> Well, the assumption for a similar attack using Guix channels is that
>> the user first adds the channel to their channel list. Therefore, they
>> trust what they consider able to be trust. ;-)
>
> Right, users would have to explicitly add the offending channel to their
> channel list in the first place. (And there are many other ways channel
> code could mess up with one’s machine.)
To be precise, the user must add a compromised channel; either
compromised by the packages which this channel offers or either by some
dependencies channel of this very same channel.
For instance, consider the user adds the channel guix-bimsb which
contains this .guix-channel [1] file:
--8<---------------cut here---------------start------------->8---
(channel
(version 0)
(dependencies
(channel
(name guix-past)
(url "https://gitlab.inria.fr/guix-hpc/guix-past"))
(channel
(name guix-science)
(url "https://github.com/guix-science/guix-science.git"))))
--8<---------------cut here---------------end--------------->8---
Here, the user could be compromised if the attacker is able to
compromise guix-past or guix-science. The user who trusts guix-bimsb is
maybe not aware of this recursive dependencies; but because they trust
guix-bimsb in the first place, somehow it means they trust people behind
guix-bimsb to check that guix-past or guix-science is not compromised.
Well, somehow it is a web of trust.
And if all channels are using authentication, then the attack is hard,
no?
1: <https://github.com/BIMSBbioinfo/guix-bimsb/blob/master/.guix-channel>
Cheers,
simon
next prev parent reply other threads:[~2023-01-16 11:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-13 13:48 bug#60782: Channels and dependency confusion Ludovic Courtès
2023-01-13 17:16 ` Simon Tournier
2023-01-16 9:00 ` Ludovic Courtès
2023-01-16 11:18 ` Simon Tournier [this message]
2023-01-16 19:49 ` david larsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jsqvial.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=60782@debbugs.gnu.org \
--cc=ludovic.courtes@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).