From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id UGwLCz4LamEaXgAAgWs5BA (envelope-from ) for ; Sat, 16 Oct 2021 01:14:06 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id uMyhBj4LamFyVwAAbx9fmQ (envelope-from ) for ; Fri, 15 Oct 2021 23:14:06 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 808C123DA6 for ; Sat, 16 Oct 2021 01:14:05 +0200 (CEST) Received: from localhost ([::1]:58010 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mbWOq-0006Ur-KT for larch@yhetil.org; Fri, 15 Oct 2021 19:14:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57400) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mbWOf-0006Uf-Gd for guix-devel@gnu.org; Fri, 15 Oct 2021 19:13:53 -0400 Received: from mx.kolabnow.com ([95.128.36.42]:20814) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mbWOc-0000nz-6C for guix-devel@gnu.org; Fri, 15 Oct 2021 19:13:52 -0400 Received: from localhost (unknown [127.0.0.1]) by mx.kolabnow.com (Postfix) with ESMTP id 0D342B7B; Sat, 16 Oct 2021 01:13:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h= content-type:content-type:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:date:subject:subject :from:from:received:received:received; s=dkim20160331; t= 1634339624; x=1636154025; bh=CN7IevLluIVKOup0mbr6xrS554+bDO9BSmp e888qRfA=; b=hwoKTXlBdU0tTryWTKMYi/ZMnWYQpHC5oiEfZP2QAykqqAAFcXQ OKl6RJA1VTOo2tDidkRlOUozis+SBjenMHbZQCy4ouiKcgi+93LOCiznyq+HQ7ox NGhQQVL+sPbx3EK+9gwsUU4j6ACNW90SfAEsVTuroDPux4LJhAALxszcYeGoBheg xAL/zqr5X8ZV1kWHILsZfFv6tOCdptpuIA17qMc2+8cljcnuz+RA4QJPmbT/B3On g445hFHXHcZAs+6ZWb593k+pq9czbdy7r/sYP3AEMTUb3klAaPfZAg3zPVbTxJrI vcOnoInR4RelA5Eo+mC1GB+Wjgs+qk0vm6uM4zkB0ylx84schS4FOtesQelzGsYR n3nHwPUvAXTK40v8knbVNg7jlwC7mKrW4xSv0x1HIQbrs8O3/oruNqDuo37qjkxO lIGv8GcG/BiNaCVeHJ7PHmTTN7109t1YlRALOz1iC1e+7lREtgpUWf3kUlqAFUE3 N39eQpkBvV932hVrj6De19YPJcKurY3Gfgj+4oYwv8fmMOBrig0D16lAktSxVydT 7yjhILgl8NrAE61pH8CFwAFpiMfGJxICVaKiXu5jDwxVJ8JpciyozFzwIYlrnyZj XzJAlPglUdlofwC6g2R8aVtoVK9cfO7O4u/2YoqWCgW9ENMorcRM2Sd0= X-Virus-Scanned: amavisd-new at mykolab.com Received: from mx.kolabnow.com ([127.0.0.1]) by localhost (ext-mx-out001.mykolab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wO4Xv9zAH0AR; Sat, 16 Oct 2021 01:13:44 +0200 (CEST) Received: from int-mx002.mykolab.com (unknown [10.9.13.2]) by mx.kolabnow.com (Postfix) with ESMTPS id BAB65607; Sat, 16 Oct 2021 01:13:43 +0200 (CEST) Received: from ext-subm002.mykolab.com (unknown [10.9.6.2]) by int-mx002.mykolab.com (Postfix) with ESMTPS id 4AAAC4836; Sat, 16 Oct 2021 01:13:43 +0200 (CEST) From: Thiago Jung Bauermann To: Ludovic =?ISO-8859-1?Q?Court=E8s?= , Liliana Marie Prikler Cc: guix-devel@gnu.org Subject: Re: Tricking peer review Date: Fri, 15 Oct 2021 20:13:36 -0300 Message-ID: <2932876.amfyGXvyGV@popigai> In-Reply-To: References: <874k9if7am.fsf@inria.fr> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=95.128.36.42; envelope-from=bauermann@kolabnow.com; helo=mx.kolabnow.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634339645; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=CN7IevLluIVKOup0mbr6xrS554+bDO9BSmpe888qRfA=; b=Zi//wQRiFOG0YYLO/PFubaZEVkHyAqfs+EEG+0DIihGSkrz4AnCk/E61yjOyvEQJKlZjcn iI1pSfOtYxSIsuGdVcvHyXQN2dbQaAzVETRyycrGAOVDZgpZ6PE0Buvvbfd7vxAxstdDkv i+wnMGuBY3MSNObJ0QCITD2eeRwqOwYFz8Bx0qUplR7TLKjrcGAqZLV4x3np0M23lWEF5s DmhY/37NkMzWZR4w3zXCEey8FZ5Gk3xn5+DtLv7EqemReSMcazZkNe4D7+OwIUj7cvwXLQ WXhWjKK1zeYHZk5LBeUmx0iW0TJ5OhpTfv9Bozze9S7bQ9j+q/f7NqBKvWJnug== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634339645; a=rsa-sha256; cv=none; b=melhL2SiJkyDxZEuUykgQvcsxxD9r5E0yDIYRpaBp25vaTOa00Pk2xbRJZEt5qApAiKsRx vpQJzONknuIVE8grpGajfLuFTH6zaKG/TlzJDonTO2Rf4MIthQLfcCQAkhs/hMBSYK/18g ivuoD9RSP1FAHaKyiws1erBFhQHGDlT12AmqX/KLqPUtu7v+SH+XxsCPIO8534hYvVNIKA 85BJtlDoxV/1mm4X/TL4LS/uVOujzSh/WI0dersrYQCzSsv+lSxIuIprAR1Y/FmGUyDQGJ QBnNAWN5eTpZYHi1DDKWkA062vjrCs8HN2jpJFi9aU27eQfxBSU7z31FN6WazA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=kolabnow.com header.s=dkim20160331 header.b=hwoKTXlB; dmarc=pass (policy=quarantine) header.from=kolabnow.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.62 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=kolabnow.com header.s=dkim20160331 header.b=hwoKTXlB; dmarc=pass (policy=quarantine) header.from=kolabnow.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 808C123DA6 X-Spam-Score: -2.62 X-Migadu-Scanner: scn0.migadu.com X-TUID: 1mvKm0dvwyzN Hello, Em sexta-feira, 15 de outubro de 2021, =C3=A0s 19:03:22 -03, Liliana Marie= =20 Prikler escreveu: > Am Freitag, den 15.10.2021, 20:54 +0200 schrieb Ludovic Court=C3=A8s: > > Consider this file as if it were a patch you=E2=80=99re reviewing: > >=20 > > (define-module (content-addressed)) > > (use-modules (guix) > >=20 > > (guix build-system gnu) > > (guix licenses) > > (gnu packages perl)) > >=20 > > (define-public sed > >=20 > > (package > > =20 > > (name "sed") > > (version "4.8") > > (source (origin > > =20 > > (method url-fetch) > > (uri (string-append "mirror://gnu/zed/sed-" version > > =20 > > ".tar.gz")) >=20 > To be fair, gnu/zed sounds wonky, but you could try inserting a version > that does not exist (e.g. 1+ the current latest version) and as a > committer thereby bypass review entirely. However, given that we trust > committers in this aspect, I'd say they should be able to verify both > URI and version field. This is trivially possible with most schemes > safe for the mirror:// one. >=20 > > (sha256 > > =20 > > (base32 > > =20 > > "1yy33kiwrxrwj2nxa4fg15bvmwyghqbs8qwkdvy5phm784f7brjq") > >=20 > > ))) > >=20 > > (build-system gnu-build-system) > > (synopsis "Stream editor") > > (native-inputs > > =20 > > `(("perl" ,perl))) ;for tests > > =20 > > (description > > =20 > > "Sed is a non-interactive, text stream editor. It receives a > >=20 > > text > > input from a file or from standard input and it then applies a series > > of text > > editing commands to the stream and prints its output to standard > > output. It > > is often used for substituting text patterns in a stream. The GNU > > implementation offers several extensions over the standard utility.") > >=20 > > (license gpl3+) > > (home-page "https://www.gnu.org/software/sed/"))) > >=20 > > sed > >=20 > > It builds just fine: > >=20 > > --8<---------------cut here---------------start------------->8--- > > $ guix build -f /tmp/content-addressed.scm > > /gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8 > > $ guix build -f /tmp/content-addressed.scm -S --check -v0 > > /gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz > > --8<---------------cut here---------------end--------------->8--- > >=20 > > Did you spot a problem? > >=20 > > =E2=80=A6 > >=20 > >=20 > > So, what did we just build? > >=20 > > --8<---------------cut here---------------start------------->8--- > > $ ls $(guix build -f /tmp/content-addressed.scm)/bin > > egrep fgrep grep > > --8<---------------cut here---------------end--------------->8--- > >=20 > > Oh oh! This =E2=80=98sed=E2=80=99 package is giving us =E2=80=98grep= =E2=80=99! How come? > >=20 > > The trick is easy: we give a URL that=E2=80=99s actually 404, with the = hash > > of a file that can be found on Software Heritage (in this case, that > > of =E2=80=98grep-3.4.tar.xz=E2=80=99). When downloading the source, th= e automatic > > content-addressed fallback kicks in, and voil=C3=A0: > >=20 > > --8<---------------cut here---------------start------------->8--- > > $ guix build -f /tmp/content-addressed.scm -S --check > >=20 > > La jena deriva=C4=B5o estos konstruata: > > /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv > >=20 > > building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed- > > 4.8.tar.gz.drv... > >=20 > > Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed- > > 4.8.tar.gz > >=20 > > > From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz... > >=20 > > following redirection to ` > > https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz'... > > download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz" > > 404 "Not Found" > >=20 > > [...] > >=20 > > Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed- > > 4.8.tar.gz > >=20 > > > From > > > https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a > > > 7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ ... > >=20 > > downloading from > > https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c > > 25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ ... > >=20 > > warning: rewriting hashes in > > `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz'; cross > > fingers > > successfully built /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed- > > 4.8.tar.gz.drv > > --8<---------------cut here---------------end--------------->8--- > >=20 > > It=E2=80=99s nothing new, it=E2=80=99s what I do when I want to test th= e download > > fallbacks (see also =E2=80=98GUIX_DOWNLOAD_FALLBACK_TEST=E2=80=99 in co= mmit > > c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it > > could somehow be abused to have malicious packages pass review. >=20 > I don't think this is much of a problem for packages where we have > another source of truth (in this case mirrors/archives of sed), but it > does point at a bigger problem when SWH is our only source of truth. > I.e. when trying to conserve such software for the future, when other > archives might fail and perhaps SHA256 itself might be broken, we can > no longer be sure that the Guix time-machine indeed does what it > promises. I=E2=80=99ve been thinking lately that Guix {sh,c}ould have a new =E2=80=99= release-signing- keys=E2=80=99 field in the package record which would list the keys that ar= e known=20 to sign official releases of the package. Then Guix would check the tarball/ git commit/git tag when downloading it. It would be an additional (and IMHO= =20 important) source of truth. There are details that would need to be hashed out such as how to deal with= =20 revoked keys or whether to store the keys themselves on the Guix repo or=20 anywhere else in Guix=E2=80=99s infrastructure, but I think it=E2=80=99s po= ssible to arrive=20 at a reasonable solution. Not all projects sign their release artifacts, but some do and it would be= =20 nice to take advantage of that. =2D-=20 Thanks, Thiago