From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id UMxwNvKtdmGpfwEAgWs5BA (envelope-from ) for ; Mon, 25 Oct 2021 15:15:30 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id cJU2MvKtdmFMfgAAB5/wlQ (envelope-from ) for ; Mon, 25 Oct 2021 13:15:30 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3554DED57 for ; Mon, 25 Oct 2021 15:15:30 +0200 (CEST) Received: from localhost ([::1]:41056 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mezp1-0002nh-EP for larch@yhetil.org; Mon, 25 Oct 2021 09:15:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36232) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mezmb-0008LY-DM for guix-devel@gnu.org; Mon, 25 Oct 2021 09:12:57 -0400 Received: from dustycloud.org ([50.116.34.160]:38590) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mezmZ-0007TJ-7N for guix-devel@gnu.org; Mon, 25 Oct 2021 09:12:57 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 1F96426630; Mon, 25 Oct 2021 09:12:51 -0400 (EDT) References: <874k9if7am.fsf@inria.fr> User-agent: mu4e 1.6.6; emacs 27.2 From: Christine Lemmer-Webber To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Tricking peer review Date: Mon, 25 Oct 2021 09:09:13 -0400 In-reply-to: <874k9if7am.fsf@inria.fr> Message-ID: <874k95459p.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=50.116.34.160; envelope-from=cwebber@dustycloud.org; helo=dustycloud.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635167730; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=NHk9BR+mQgOj6OG3PcgThKcFC8VrnaGUHT4wByTfdEw=; b=fQqJiYDJbzGuGY21o7YXJ6eYLTDDD9qO+/zDW61CO1TjZsEA0VGmuSEetb7mTKIDlqdvSb rOplW8nYyjbs9wItuRRH8hPCrbzYcN/uuFmih3g8PC3P9DHbW9MBYrAy6nksev++mT/huD 5P89YJ6uC0MR1kXEqHIxTvz355Hgm8eLw8gJfCuSx4NivpTpOEEQbtgglD//T+MtRX4PWO +EzJi5mMEhi2XVC+ZxxGH0SeurdtaHYcr6fLixYO8K1elcOUiW1h1XqYijNIZw1lDhXrr3 uAJxzrvkECU1SeVSDZY4Ug/LwjMc08tGQYYevVtdKr6kDy3Hd+Glp9pVXPEHOw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635167730; a=rsa-sha256; cv=none; b=ElHykQgVfr6CVoaX1J6FNUJiHOkx8DGgrjl70n0NGD3gMtH/SWli9n6j7pFcr+JVxeBIFA SlsD4KKmDgrinFS0WIKoZod89Tfimps/I5dB55OBx7swNP0weZA0Hm76ZhPX7PP3ECmb8p bJhEnwEEQLKYIworNueYQGGPRitj1xS2dUSZ1G/q1SLqX8lte+XFPDRzanS31n8+iqV841 oQek9O82jGdVXDYWW85xIgTHqWIQfXcaD+jYurZE0jgEXfSjZEpcwj3VlFtdgihniJhAeL MVOHyRpLC7Wmpprj5iRvALLkooETGDF80XFc4EkxSYTsL0oHLIfw2GyXzcrZhA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.83 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 3554DED57 X-Spam-Score: -2.83 X-Migadu-Scanner: scn1.migadu.com X-TUID: C6Hg+fl3P7oi Ludovic Court=C3=A8s writes: > It builds just fine: > > $ guix build -f /tmp/content-addressed.scm=20=20 > /gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8 > $ guix build -f /tmp/content-addressed.scm -S --check -v0 > /gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz > > > Did you spot a problem? > > =E2=80=A6 > > > So, what did we just build? > > $ ls $(guix build -f /tmp/content-addressed.scm)/bin > egrep fgrep grep > > > Oh oh! This =E2=80=98sed=E2=80=99 package is giving us =E2=80=98grep=E2= =80=99! How come? > > The trick is easy: we give a URL that=E2=80=99s actually 404, with the ha= sh of a > file that can be found on Software Heritage (in this case, that of > =E2=80=98grep-3.4.tar.xz=E2=80=99). When downloading the source, the aut= omatic > content-addressed fallback kicks in, and voil=C3=A0: > > $ guix build -f /tmp/content-addressed.scm -S --check=20 > La jena deriva=C4=B5o estos konstruata: > /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv > building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv... > > Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.= tar.gz >>>From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz... > following redirection to `https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar= .gz'... > download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz" 404 = "Not Found" > > [...] > > Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.= tar.gz >>>From https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41= a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/... > downloading from https://archive.softwareheritage.org/api/1/content/sha25= 6:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ ... > > warning: rewriting hashes in `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr= -sed-4.8.tar.gz'; cross fingers > successfully built /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.ta= r.gz.drv > > > It=E2=80=99s nothing new, it=E2=80=99s what I do when I want to test the = download > fallbacks (see also =E2=80=98GUIX_DOWNLOAD_FALLBACK_TEST=E2=80=99 in comm= it > c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it could > somehow be abused to have malicious packages pass review. Here's another way to think of it, borrowing from some ocap systems: the hash is the actual, canonical identifier of this package revision. The URL to get the package is merely a "hint" as to where to get it. Therefore, there can be many other "hints" as to where to get it too, enabling mirrors to be elevated to the "same" priority as the original source.