From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id OPJ2O3bDI2AuJQAA0tVLHw (envelope-from ) for ; Wed, 10 Feb 2021 11:28:54 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id +E08N3bDI2CCHQAA1q6Kng (envelope-from ) for ; Wed, 10 Feb 2021 11:28:54 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8C33A9402B1 for ; Wed, 10 Feb 2021 11:28:54 +0000 (UTC) Received: from localhost ([::1]:60092 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l9nfx-0001bo-JQ for larch@yhetil.org; Wed, 10 Feb 2021 06:28:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:56232) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l9nfV-0001aP-Na for guix-devel@gnu.org; Wed, 10 Feb 2021 06:28:25 -0500 Received: from mail-wr1-x430.google.com ([2a00:1450:4864:20::430]:47030) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l9nfT-00025Y-Eu for guix-devel@gnu.org; Wed, 10 Feb 2021 06:28:25 -0500 Received: by mail-wr1-x430.google.com with SMTP id q8so2013068wru.13 for ; Wed, 10 Feb 2021 03:28:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:in-reply-to:date:message-id:mime-version :content-transfer-encoding; bh=kecuatrzj5iy8n7h0ZHJdAQ1/MhvMxUZex3QxEZX82Y=; b=XXvDQtDChQtOPSJvzyaKHAahHzjeA+wvT+A3SXZYwucXJ5w6Uk8gkc3bBLJjot+gqG LNxEzcXDqqoMVrqhsqruIyqIPSL5j01sTkcYLyMeqWl76jjaP0h4giArKB+yOyiXtpsr fN7Ie8rx/9f/GMppNci0YDff56hhrQz5qv+JSdiQJAPGx3iqFf/w4iPPxJhoYMreFnoY NOFYYRMj/0AdlnXjLcPYikzMvn0Ikfad5uArqfc0MdDSaMKvcsAsHyr3pPnG2pPdi+OS J+9D13RUy6zkx1rh4bF3M8I4mBpF/8eIUW4cCPZkRbzbJOQuJi8KJhEMDGjFPlQdxRhb 3k0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:in-reply-to:date:message-id :mime-version:content-transfer-encoding; bh=kecuatrzj5iy8n7h0ZHJdAQ1/MhvMxUZex3QxEZX82Y=; b=P+m1cLprDJjll7gQW0Eef0ybnbbq1FKj84MSHrFeh31NlloRrx2/eL7VSqNNs5CtzO zoxYbaKF//fP2YUKMXzQTwWuP98rHs8YUFr49Pv3HkSt98LZeEsMW/F8LRtR3PPnts1M frfwxoYZ4+Tk/8Pyfkk8FRB80UPy0bNkRpDFz3cUA9SbrX1ECmO0ClWxLF31iJEc67MK Zmm8qxMbTthKPXfZ5QSnTOCrc0eXT3VS3sIXA9zfQmDDI8MekJMvoaNEBpfAq6W9qem+ HWrbHFAg9wChnLzs7mJ2BuCFsv7oTidYNnqABJVd3zEw+D+4bzK7tzFyJ9LRiu8h7yrQ v3xg== X-Gm-Message-State: AOAM531sPeWdQCZcB0BoImq9gLCV5/oY67HSCLdZz7HZ88i8J3DIzLSa A//8CQnCJEFuHRwMNl7UryzpzcIvC+k= X-Google-Smtp-Source: ABdhPJyvpZ6eOpHcIyIGY8snGvD2s+SofF8YY/RLvw4StqdTAhOtzagTMx3xEGafcXYK0mmZ0QjCnw== X-Received: by 2002:a05:6000:1565:: with SMTP id 5mr3201488wrz.109.1612956501632; Wed, 10 Feb 2021 03:28:21 -0800 (PST) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id b2sm1023496wrn.2.2021.02.10.03.28.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Feb 2021 03:28:21 -0800 (PST) From: zimoun To: Ryan Prior , Development of GNU Guix and the GNU System distribution Subject: Re: Mitigating "dependency confusion" attacks on Guix users In-Reply-To: <461926c3d053474dd7196c9ed8f59a45b8c9c82f@hey.com> Date: Wed, 10 Feb 2021 12:28:14 +0100 Message-ID: <86o8gs9n75.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::430; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x430.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -3.06 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=XXvDQtDC; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 8C33A9402B1 X-Spam-Score: -3.06 X-Migadu-Scanner: scn1.migadu.com X-TUID: FItgvxWicCyU Hi Ryan, On Wed, 10 Feb 2021 at 00:08, Ryan Prior wrote: > What comes to my mind is that we should encourage (require?) people to > specify the channel name a package belongs to, if it's not the "guix" > channel. So instead of referring to "python-beautifulsoup4" (ambiguous: > is this from my channel or upstream Guix?) we say that "python- > beautifulsoup4" always means that package from the "guix" channel and a > version provided by my channel called "internal" needs to be called for > explicitly, like "@internal/python-beautifulsoup4". Could you provide an concrete example of such attack? I am not able to imagine a scenario. Alice uses the official Guix channel and another custom channel. It is hard to compromise the official Guix channel, IMHO. Compromise the custom channel, well it depends on the custom channel. ;-) Since channels are Git repo, compromise a channel means more or less compromise a Git repo. IMHO. And Guix provides the tools for authenticate channels so it is up to Alice to trust or not a custom channel, i.e., the people behind such channel. Therefore, if Alice trusts the custom channel, your proposal only adds complexity, IMHO. If Alice does not trust the custom channel, there is 2 cases: a) she is already aware that installing packages from this channel should be done with care because she is not trusting and b) the packages in this custom channel cannot be used by other official packages because of modules, or Alice has to explicitly use =E2=80=9Cuntrus= ted=E2=80=9C module. Well, below examples. >From my understanding, the design of channels using Git repo with Guile modules is different from the PyPI&co repo where literally anyone has the right to upload packages without a strict DAG. Thus, the =C2=ABdependency attack=C2=BB seems defeated by Guix design, i.e., it is ha= rd to find a scenario where Alice is really mislead and not explicitly shoot herself in her foot. But I could be wrong and just missing imagination. :-) Cheers, simon PS: Some details with a naive scenario. $ cd /tmp/ $ mkdir -p custom.git $ cd custom.git $ git init D=C3=A9p=C3=B4t Git vide initialis=C3=A9 dans /tmp/custom.git/.git/ $ mkdir -p gnu/packages $ cat gnu/packages/other-base.scm (define-module (gnu packages other-base) #:use-module (guix packages) #:use-module (guix build-system gnu) #:use-module (guix git-download) #:use-module (guix licenses)) (define-public hello (package (name "hello") (version "2.10") (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/zimoun/hello-example.git") (commit "e1eefd033b8a2c4c81babc6fde08ebb116c6abb8"))) (sha256 (base32 "1im1gglfm4k10bh4mdaqzmx3lm3kivnsmxrvl6vyvmfqqzljq75l")))) (build-system gnu-build-system) (synopsis "Hello, GNU world: An example GNU package") (description "GNU Hello prints the message \"Hello, world!\" and then exits. It serves as an example of standard GNU coding practices. As such, it supports command-line arguments, multiple languages, and so on.") (home-page "https://www.gnu.org/software/hello/") (license gpl3+))) $ git add gnu/packages/other-base.scm $ git commit -m 'Add (gnu packages other-base)' [master (commit racine) 0eabc08] Add (gnu packages other-base) 1 file changed, 26 insertions(+) create mode 100644 gnu/packages/other-base.scm $ cat /tmp/channels.scm (list (channel (name 'guix) (url "https://git.savannah.gnu.org/git/guix.git") (introduction (make-channel-introduction "9edb3f66fd807b096b48283debdcddccfea34bad" (openpgp-fingerprint "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))) (channel (name 'custom) (url "file:///tmp/custom.git"))) $ guix pull -C /tmp/channels.scm -p tmp/new Mise =C3=A0 jour du canal =C2=AB guix =C2=BB depuis le d=C3=A9p=C3=B4t Git = =C2=AB https://git.savannah.gnu.or\ g/git/guix.git =C2=BB... Mise =C3=A0 jour du canal =C2=AB custom =C2=BB depuis le d=C3=A9p=C3=B4t Gi= t =C2=AB file:///tmp/custom.git =C2=BB.\ .. Construction depuis ces canaux : custom file:///tmp/custom.git 62a12ec guix https://git.savannah.gnu.org/git/guix.git 091ce05 [...] $ /tmp/new/bin/guix build hello guix build: warning: sp=C3=A9cification du paquet =C2=AB hello =C2=BB ambig= u=C3=AB guix build: warning: choix de hello@2.10 =C3=A0 l'emplacement gnu/packages/= base.scm:\ 77:2 /gnu/store/a462kby1q51ndvxdv3b6p0rsixxrgx1h-hello-2.10 $ touch README $ git add README $ git commit -m 'Tweak.' [master 69e2eac] Tweak. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 README $ cat /tmp/channels.scm (list (channel (name 'custom) (url "file:///tmp/custom.git")) (channel (name 'guix) (url "https://git.savannah.gnu.org/git/guix.git") (introduction (make-channel-introduction "9edb3f66fd807b096b48283debdcddccfea34bad" (openpgp-fingerprint "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"))))) $ guix pull -C /tmp/channels.scm -p /tmp/new ise =C3=A0 jour du canal =C2=AB custom =C2=BB depuis le d=C3=A9p=C3=B4t Git= =C2=AB file:///tmp/custom.git =C2=BB.\ .. Mise =C3=A0 jour du canal =C2=AB guix =C2=BB depuis le d=C3=A9p=C3=B4t Git = =C2=AB https://git.savannah.gnu.or\ g/git/guix.git =C2=BB... Construction depuis ces canaux : guix https://git.savannah.gnu.org/git/guix.git 091ce05 custom file:///tmp/custom.git 69e2eac Computing Guix derivation for 'x86_64-linux'... [...] $ /tmp/new/bin/guix build hello guix build: warning: sp=C3=A9cification du paquet =C2=AB hello =C2=BB ambig= u=C3=AB guix build: warning: choix de hello@2.10 =C3=A0 l'emplacement gnu/packages/= base.scm:\ 77:2 /gnu/store/a462kby1q51ndvxdv3b6p0rsixxrgx1h-hello-2.10 At this point, Alice cannot be mislead because the 2 package 'hello' are in 2 different modules, one is (gnu packages base) and the is (gnu packages other-base). What happens if the corrupted 'hello' in the custom channel lives in a module named (gnu packages base). $ git show 90ee24f commit 90ee24f24b721cd73c4e2f86883da18a51ce0116 (HEAD -> master) Author: zimoun Date: Wed Feb 10 12:11:36 2021 +0100 (gnu packages other-base) -> (gnu packages base) diff --git a/gnu/packages/other-base.scm b/gnu/packages/base.scm similarity index 95% rename from gnu/packages/other-base.scm rename to gnu/packages/base.scm index 4a1e33f..c547df6 100644 --- a/gnu/packages/other-base.scm +++ b/gnu/packages/base.scm @@ -1,4 +1,4 @@ -(define-module (gnu packages other-base) +(define-module (gnu packages base) #:use-module (guix packages) #:use-module (guix build-system gnu) #:use-module (guix git-download) $ guix pull -C /tmp/channels.scm -p /tmp/new Mise =C3=A0 jour du canal =C2=AB custom =C2=BB depuis le d=C3=A9p=C3=B4t Gi= t =C2=AB file:///tmp/custom.git =C2=BB.\ .. Mise =C3=A0 jour du canal =C2=AB guix =C2=BB depuis le d=C3=A9p=C3=B4t Git = =C2=AB https://git.savannah.gnu.or\ g/git/guix.git =C2=BB... Construction depuis ces canaux : guix https://git.savannah.gnu.org/git/guix.git 091ce05 custom file:///tmp/custom.git 90ee24f [...] construction de /gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv... |builder for `/gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv' faile= d to\ produce output path `/gnu/store/bwfswna2mva90z66r1bsszj9wbhypakn-custom' la compilation de /gnu/store/60ab9ayq6954g9aplmi0zdhg8rw24qh0-custom.drv a = =C3=A9cho\ u=C3=A9 Vous trouverez le journal de compilation dans =C2=AB /var/log/guix/drvs/60/= ab9ayq695\ 4g9aplmi0zdhg8rw24qh0-custom.drv.bz2 =C2=BB. cannot build derivation `/gnu/store/byajgdx0xyy4ln8cgf5hg6mcc1yxlxfa-profil= e.dr\ v': 1 dependencies couldn't be built guix pull: error: build of `/gnu/store/byajgdx0xyy4ln8cgf5hg6mcc1yxlxfa-pro= file\ .drv' failed So I am lacking imagination to realize the =C2=ABdependencies attack=C2=BB = because of the Guile modules.