From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id SC11H//uI2CvawAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 10 Feb 2021 14:34:39 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id IB5gG//uI2BEfgAAbx9fmQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 10 Feb 2021 14:34:39 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 42907940481
	for <larch@yhetil.org>; Wed, 10 Feb 2021 14:34:39 +0000 (UTC)
Received: from localhost ([::1]:53418 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1l9qZi-0004bC-51
	for larch@yhetil.org; Wed, 10 Feb 2021 09:34:38 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:41258)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jonathan@terracrypt.net>)
 id 1l9qYn-0003zA-Dt
 for guix-devel@gnu.org; Wed, 10 Feb 2021 09:33:41 -0500
Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:35095)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jonathan@terracrypt.net>)
 id 1l9qYl-0002YF-4g
 for guix-devel@gnu.org; Wed, 10 Feb 2021 09:33:41 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.west.internal (Postfix) with ESMTP id 20DCBBDB
 for <guix-devel@gnu.org>; Wed, 10 Feb 2021 09:33:34 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Wed, 10 Feb 2021 09:33:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=terracrypt.net;
 h=to:references:from:subject:message-id:date:mime-version
 :in-reply-to:content-type:content-transfer-encoding; s=fm1; bh=v
 ynAvg6qNNqY6Sbz2npfyjlX3UjtsOI/Eb8zVcgp56Y=; b=rmh1Iry+WoVG6vWO2
 UrbCJ/84TJVTayn/IKb3TIPPxavSHb/M90DbyT4+ExSfkm8MVXzP6XvS13WqK4In
 EeSVORar2IVWJIhRQO4DhL91PViYVfql5e3ILmQV2EedYNCjCo/prGtn4K93FXss
 dM7pbzYGjhiJZjKGDClN7jfmBo4Rh2zrX2mqeIU/6Zpan8BBQKke+VI+7U1/jtIJ
 ihlI44csknufjm0xwraPTW5ruVUe/chn1/eVAHLYdP0Wu1cX94USb2omGIGg6NUv
 9LOC9wY3zzvOz/l4D3kTz/iw6UXg6z7qhN976hvzvDoOx5J/GCB/wthzHo13T2nW
 8jxGg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; bh=vynAvg6qNNqY6Sbz2npfyjlX3UjtsOI/Eb8zVcgp5
 6Y=; b=LGDQUgVDkr25XRgXoVSV+bofG5IRPauIQ+SMOhJhTbZsyOvqV119BhcFR
 NdnDNbOjaAsB1Dt+hPaMnlSC3SOXOp0ofi1x2dor+qvi0FN9HwonXECnjc7ODg/P
 FCD5tNiWhPe11Bl7YVi1/xAoibqsHCPPHkaBftRhokgX8v3Sh4/kxoikIhDR7Qqy
 filUv4/a9VjNPAnGw2JCsvovSRGCeRaAYP/t1euqjEOPCeoe22cUK11tzbNwbMkg
 cQDo7kBpsMYO6qs5iUKus2l2i47bcGqI/w4GmFG0XUKsKVQdC3wNq7Et+dSho4/r
 8/WZXWqhxIXfs3QEGqeLjP7Y62ZoA==
X-ME-Sender: <xms:ve4jYI1jF55yahxwKTKISM2KbLeH7FY6xaEMF_IB0i7ix5UdVp7SsA>
 <xme:ve4jYDEtWKfcDnh9izlPd3heWpJbnBLhuSnnISSGyUwNwCWtswTFv_w7wJrNDUEh_
 sUvz24ojfy36e5TVg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrheejgdeihecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepvfhfhffukffffgggjggtgfesthekre
 dttdefjeenucfhrhhomheplfhonhgrthhhrghnucfhrhgvuggvrhhitghkshhonhcuoehj
 ohhnrghthhgrnhesthgvrhhrrggtrhihphhtrdhnvghtqeenucggtffrrghtthgvrhhnpe
 ffffekieduvdehleduuddvhfeluefffedtleegvdeiffeukeeltefgtedtgeeuhfenucfk
 phepudejvddruddtgedrvddrgeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh
 epmhgrihhlfhhrohhmpehjohhnrghthhgrnhesthgvrhhrrggtrhihphhtrdhnvght
X-ME-Proxy: <xmx:ve4jYA6csZfCV2Se4t9vIRIlUIgFSUeWo_L9nk90LihiulkGZBe77A>
 <xmx:ve4jYB1yn25zyECsaaefc2smV-dEYUXBd25b_FcZRJbUeClZ4dtS6g>
 <xmx:ve4jYLFoae-NejPVVxhA7EhNmdn0sDUa97fcFq8Q9ACjwZalWsp97g>
 <xmx:ve4jYPTSiWqM8E-dgqTIat6L-1mt8SoNmWsTTE9heLTAhWjPWeKFOA>
Received: from applecake-2.local (unknown [172.104.2.4])
 by mail.messagingengine.com (Postfix) with ESMTPA id 52E6D240057
 for <guix-devel@gnu.org>; Wed, 10 Feb 2021 09:33:32 -0500 (EST)
To: guix-devel@gnu.org
References: <461926c3d053474dd7196c9ed8f59a45b8c9c82f@hey.com>
 <871rdobbt0.fsf@cbaines.net>
From: Jonathan Frederickson <jonathan@terracrypt.net>
Subject: Re: Mitigating "dependency confusion" attacks on Guix users
Message-ID: <735ee3f2-e6e5-cc3f-3d9c-ae9d309f360e@terracrypt.net>
Date: Wed, 10 Feb 2021 09:33:23 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0)
 Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <871rdobbt0.fsf@cbaines.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=64.147.123.19;
 envelope-from=jonathan@terracrypt.net; helo=wout3-smtp.messagingengine.com
X-Spam_score_int: -29
X-Spam_score: -3.0
X-Spam_bar: ---
X-Spam_report: (-3.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.211,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -2.56
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=terracrypt.net header.s=fm1 header.b=rmh1Iry+;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=LGDQUgVD;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 42907940481
X-Spam-Score: -2.56
X-Migadu-Scanner: scn0.migadu.com
X-TUID: wd0aTq6CyyVe

On 2/10/21 2:51 AM, Christopher Baines wrote:
> I'm not sure you can escape trusting the collection of channels you're
> using. Because channels are code that's expected to interact, I'm not
> sure it's easy to target a single package from a specific channel, and
> expect that this provides some security. A malicious channel could
> simply reach out and modify the state in modules from a different
> channel, which would circumvent the protection you're suggesting.

Not that it's necessarily possible to prevent at this moment with the 
tools available to us, but... is there any case in Guix's normal usage 
where the modules containing package definitions need to reach out and 
modify the state in other modules?