It builds just fine: --8<---------------cut here---------------start------------->8--- $ guix build -f /tmp/content-addressed.scm /gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8 $ guix build -f /tmp/content-addressed.scm -S --check -v0 /gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz --8<---------------cut here---------------end--------------->8--- Did you spot a problem? … So, what did we just build? --8<---------------cut here---------------start------------->8--- $ ls $(guix build -f /tmp/content-addressed.scm)/bin egrep fgrep grep --8<---------------cut here---------------end--------------->8--- Oh oh! This ‘sed’ package is giving us ‘grep’! How come? The trick is easy: we give a URL that’s actually 404, with the hash of a file that can be found on Software Heritage (in this case, that of ‘grep-3.4.tar.xz’). When downloading the source, the automatic content-addressed fallback kicks in, and voilà: --8<---------------cut here---------------start------------->8--- $ guix build -f /tmp/content-addressed.scm -S --check La jena derivaĵo estos konstruata: /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv... Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.tar.gz From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz... following redirection to `https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz'... download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz" 404 "Not Found" [...] Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.tar.gz From https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/... downloading from https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ ... warning: rewriting hashes in `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz'; cross fingers successfully built /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv --8<---------------cut here---------------end--------------->8--- It’s nothing new, it’s what I do when I want to test the download fallbacks (see also ‘GUIX_DOWNLOAD_FALLBACK_TEST’ in commit c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it could somehow be abused to have malicious packages pass review. Granted, ‘guix lint’ immediately flags the issue: --8<---------------cut here---------------start------------->8--- $ guix lint -L /tmp/p sed guix lint: warning: plursenca pak-specifigo 'sed' guix lint: warning: ni elektas sed@4.8 el /tmp/content-addressed.scm:8:2 /tmp/content-addressed.scm:11:11: sed@4.8: all the source URIs are unreachable: /tmp/content-addressed.scm:11:11: sed@4.8: URI https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz ne estas alirebla: 404 ("Not Found") /tmp/content-addressed.scm:11:11: sed@4.8: URI ftp://ftp.cs.tu-berlin.de/pub/gnu/zed/sed-4.8.tar.gz domajno ne trovita: Nomo aŭ servo ne konatas /tmp/content-addressed.scm:11:11: sed@4.8: URI ftp://ftp.funet.fi/pub/mirrors/ftp.gnu.org/gnu/zed/sed-4.8.tar.gz ne estas alirebla: 550 ("Can't change directory to zed: No such file or directory") /tmp/content-addressed.scm:11:11: sed@4.8: URI http://ftp.gnu.org/pub/gnu/zed/sed-4.8.tar.gz ne estas alirebla: 404 ("Not Found") --8<---------------cut here---------------end--------------->8--- Also, just because a URL looks nice and is reachable doesn’t mean the source is trustworthy either. An attacker could submit a package for an obscure piece of software that happens to be malware. The difference here is that the trick above would allow targeting a high-impact package. On the plus side, such an attack would be recorded forever in Git history. Also on the plus side, it turns out our origin URLs are currently (unintentionally) limited to ASCII, so I couldn’t write “/ṡed” in the URL. All in all, it’s probably not as worrisome as it first seems. However, it’s worth keeping in mind when reviewing a package. Thoughts? Ludo’.