From: zimoun <zimon.toutoune@gmail.com>
To: Ryan Prior <ryanprior@hey.com>,
Development of GNU Guix and the GNU System distribution
<guix-devel@gnu.org>
Subject: Re: Mitigating "dependency confusion" attacks on Guix users
Date: Wed, 10 Feb 2021 12:28:14 +0100 [thread overview]
Message-ID: <86o8gs9n75.fsf@gmail.com> (raw)
In-Reply-To: <461926c3d053474dd7196c9ed8f59a45b8c9c82f@hey.com>
Hi Ryan,
On Wed, 10 Feb 2021 at 00:08, Ryan Prior <ryanprior@hey.com> wrote:
> What comes to my mind is that we should encourage (require?) people to
> specify the channel name a package belongs to, if it's not the "guix"
> channel. So instead of referring to "python-beautifulsoup4" (ambiguous:
> is this from my channel or upstream Guix?) we say that "python-
> beautifulsoup4" always means that package from the "guix" channel and a
> version provided by my channel called "internal" needs to be called for
> explicitly, like "@internal/python-beautifulsoup4".
Could you provide an concrete example of such attack?
I am not able to imagine a scenario. Alice uses the official Guix
channel and another custom channel. It is hard to compromise the
official Guix channel, IMHO. Compromise the custom channel, well it
depends on the custom channel. ;-)
Since channels are Git repo, compromise a channel means more or less
compromise a Git repo. IMHO. And Guix provides the tools for
authenticate channels so it is up to Alice to trust or not a custom
channel, i.e., the people behind such channel.
Therefore, if Alice trusts the custom channel, your proposal only adds
complexity, IMHO. If Alice does not trust the custom channel, there is
2 cases: a) she is already aware that installing packages from this
channel should be done with care because she is not trusting and b) the
packages in this custom channel cannot be used by other official
packages because of modules, or Alice has to explicitly use “untrusted“
module. Well, below examples.
From my understanding, the design of channels using Git repo with Guile
modules is different from the PyPI&co repo where literally anyone has
the right to upload packages without a strict DAG. Thus, the
«dependency attack» seems defeated by Guix design, i.e., it is hard to
find a scenario where Alice is really mislead and not explicitly shoot
herself in her foot. But I could be wrong and just missing
imagination. :-)
Cheers,
simon
PS:
Some details with a naive scenario.
$ cd /tmp/
$ mkdir -p custom.git
$ cd custom.git
$ git init
Dépôt Git vide initialisé dans /tmp/custom.git/.git/
$ mkdir -p gnu/packages
$ cat gnu/packages/other-base.scm
(define-module (gnu packages other-base)
#:use-module (guix packages)
#:use-module (guix build-system gnu)
#:use-module (guix git-download)
#:use-module (guix licenses))
(define-public hello
(package
(name "hello")
(version "2.10")
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/zimoun/hello-example.git")
(commit "e1eefd033b8a2c4c81babc6fde08ebb116c6abb8")))
(sha256
(base32
"1im1gglfm4k10bh4mdaqzmx3lm3kivnsmxrvl6vyvmfqqzljq75l"))))
(build-system gnu-build-system)
(synopsis "Hello, GNU world: An example GNU package")
(description
"GNU Hello prints the message \"Hello, world!\" and then exits. It
serves as an example of standard GNU coding practices. As such, it supports
command-line arguments, multiple languages, and so on.")
(home-page "https://www.gnu.org/software/hello/")
(license gpl3+)))
$ git add gnu/packages/other-base.scm
$ git commit -m 'Add (gnu packages other-base)'
[master (commit racine) 0eabc08] Add (gnu packages other-base)
1 file changed, 26 insertions(+)
create mode 100644 gnu/packages/other-base.scm
$ cat /tmp/channels.scm
(list (channel
(name 'guix)
(url "https://git.savannah.gnu.org/git/guix.git")
(introduction
(make-channel-introduction
"9edb3f66fd807b096b48283debdcddccfea34bad"
(openpgp-fingerprint
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"))))
(channel
(name 'custom)
(url "file:///tmp/custom.git")))
$ guix pull -C /tmp/channels.scm -p tmp/new
Mise à jour du canal « guix » depuis le dépôt Git « https://git.savannah.gnu.or\
g/git/guix.git »...
Mise à jour du canal « custom » depuis le dépôt Git « file:///tmp/custom.git ».\
..
Construction depuis ces canaux :
custom file:///tmp/custom.git 62a12ec
guix https://git.savannah.gnu.org/git/guix.git 091ce05
[...]
$ /tmp/new/bin/guix build hello
guix build: warning: spécification du paquet « hello » ambiguë
guix build: warning: choix de hello@2.10 à l'emplacement gnu/packages/base.scm:\
77:2
/gnu/store/a462kby1q51ndvxdv3b6p0rsixxrgx1h-hello-2.10
$ touch README
$ git add README
$ git commit -m 'Tweak.'
[master 69e2eac] Tweak.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 README
$ cat /tmp/channels.scm
(list (channel
(name 'custom)
(url "file:///tmp/custom.git"))
(channel
(name 'guix)
(url "https://git.savannah.gnu.org/git/guix.git")
(introduction
(make-channel-introduction
"9edb3f66fd807b096b48283debdcddccfea34bad"
(openpgp-fingerprint
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))))
$ guix pull -C /tmp/channels.scm -p /tmp/new
ise à jour du canal « custom » depuis le dépôt Git « file:///tmp/custom.git ».\
..
Mise à jour du canal « guix » depuis le dépôt Git « https://git.savannah.gnu.or\
g/git/guix.git »...
Construction depuis ces canaux :
guix https://git.savannah.gnu.org/git/guix.git 091ce05
custom file:///tmp/custom.git 69e2eac
Computing Guix derivation for 'x86_64-linux'...
[...]
$ /tmp/new/bin/guix build hello
guix build: warning: spécification du paquet « hello » ambiguë
guix build: warning: choix de hello@2.10 à l'emplacement gnu/packages/base.scm:\
77:2
/gnu/store/a462kby1q51ndvxdv3b6p0rsixxrgx1h-hello-2.10
At this point, Alice cannot be mislead because the 2 package 'hello' are
in 2 different modules, one is (gnu packages base) and the is (gnu
packages other-base).
What happens if the corrupted 'hello' in the custom channel lives in a
module named (gnu packages base).
$ git show 90ee24f
commit 90ee24f24b721cd73c4e2f86883da18a51ce0116 (HEAD -> master)
Author: zimoun <zimon.toutoune@gmail.com>
Date: Wed Feb 10 12:11:36 2021 +0100
(gnu packages other-base) -> (gnu packages base)
diff --git a/gnu/packages/other-base.scm b/gnu/packages/base.scm
similarity index 95%
rename from gnu/packages/other-base.scm
rename to gnu/packages/base.scm
index 4a1e33f..c547df6 100644
--- a/gnu/packages/other-base.scm
+++ b/gnu/packages/base.scm
@@ -1,4 +1,4 @@
-(define-module (gnu packages other-base)
+(define-module (gnu packages base)
#:use-module (guix packages)
#:use-module (guix build-system gnu)
#:use-module (guix git-download)
$ guix pull -C /tmp/channels.scm -p /tmp/new
Mise à jour du canal « custom » depuis le dépôt Git « file:///tmp/custom.git ».\
..
Mise à jour du canal « guix » depuis le dépôt Git « https://git.savannah.gnu.or\
g/git/guix.git »...
Construction depuis ces canaux :
guix https://git.savannah.gnu.org/git/guix.git 091ce05
custom file:///tmp/custom.git 90ee24f
[...]
construction de /gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv...
|builder for `/gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv' failed to\
produce output path `/gnu/store/bwfswna2mva90z66r1bsszj9wbhypakn-custom'
la compilation de /gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv a écho\
ué
Vous trouverez le journal de compilation dans « /var/log/guix/drvs/60/ab9ayq695\
4g9aplmi0zdhg8rw24qh0-custom.drv.bz2 ».
cannot build derivation `/gnu/store/byajgdx0xyy4ln8cgf5hg6mcc1yxlxfa-profile.dr\
v': 1 dependencies couldn't be built
guix pull: error: build of `/gnu/store/byajgdx0xyy4ln8cgf5hg6mcc1yxlxfa-profile\
.drv' failed
So I am lacking imagination to realize the «dependencies attack» because
of the Guile modules.
prev parent reply other threads:[~2021-02-10 11:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-10 0:08 Mitigating "dependency confusion" attacks on Guix users Ryan Prior
2021-02-10 7:48 ` Lars-Dominik Braun
2021-02-10 7:51 ` Christopher Baines
2021-02-10 14:33 ` Jonathan Frederickson
2021-02-10 15:12 ` Efraim Flashner
2021-02-10 11:28 ` zimoun [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86o8gs9n75.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=guix-devel@gnu.org \
--cc=ryanprior@hey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).