From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id MCPGBGPOaWHgVAEAgWs5BA (envelope-from ) for ; Fri, 15 Oct 2021 20:54:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id AHJqAGPOaWHSXwAAB5/wlQ (envelope-from ) for ; Fri, 15 Oct 2021 18:54:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9B3BF150D6 for ; Fri, 15 Oct 2021 20:54:25 +0200 (CEST) Received: from localhost ([::1]:52696 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mbSLY-00008I-PY for larch@yhetil.org; Fri, 15 Oct 2021 14:54:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46532) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mbSLP-000088-Q2 for guix-devel@gnu.org; Fri, 15 Oct 2021 14:54:15 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:37140) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mbSLN-0005P8-48 for guix-devel@gnu.org; Fri, 15 Oct 2021 14:54:15 -0400 IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AZ7JBSqueBuNku1SBXHOfg8fO7skDnNV00zEX?= =?us-ascii?q?/kB9WHVpm5qj5rmTdZMgpHzJYVcqOE3I9urqBEDtexnhHLROkO4s1NWZMzUOyV?= =?us-ascii?q?HIEGgK1+KL/9SHIUDDH4Vmu5uIHZITNDTYNykDse/KpCe5DvMpy52u7L2og/y2?= =?us-ascii?q?9QYKcShaL49h8iJwAUKjCUt0SANabKBJdqa0145opyeEcX9SV9+8BXUOQqziqr?= =?us-ascii?q?Tw5ffbSC9DKR47zQGEyQqy7r33GQXd5x8CUlp0sNMfzVQ=3D?= X-IronPort-AV: E=Sophos;i="5.84,326,1620684000"; d="scm'?scan'208";a="534218689" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Oct 2021 20:54:10 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: guix-devel@gnu.org Subject: Tricking peer review X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 24 =?utf-8?Q?Vend=C3=A9miaire?= an 230 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 15 Oct 2021 20:54:09 +0200 Message-ID: <874k9if7am.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634324066; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=I2Xw5RHnh6U0S7qwiGCAHWafE9rMnFgVnXdQDPV/gUs=; b=E6jtDdd7xi+lws+RIOq+PP0ATBTResVXWlt72qQo64yqLfetZGIwWisRrbmoZmzSyD7QVt CiM6gqDrUIGSwev/DxYUsnxUaK8l5T2e7GJSQS/VEmAhsNNDTITZ5PpLV0ZYUoZlUlA1qe cMJXx7YVbnFF2Ld4clQqCSa0Iqcsdp+Dlp0X68xvMCmGAxVU4nS98mdS4eWIzASpPSmc3c G/Z7FdATqgRnc0y74xfLpVx1CRjSyDcwjbqMG2tAXhMEIEIDHfFuAAmpXGISi1T2NqLj81 Stj0J5mM8alwA1+t3yDCHk1GHiv2Zv/ALlYpLjde66TN+65x3IRZFZ3FOKkRJA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634324066; a=rsa-sha256; cv=none; b=FEajtaDRCThEOW3oGzhyvYspmLcHfS+KVM5J3JFgfUn8EmKDZE8MJ9Njs+PQeO9ZwnUQmp tsElF0iz9gjxVe5ee20rW5o5XjGzmG+PMwjlQOqTtHnf8oUtfwffHIfnBltNEywp+Rhz8j 04b2afqiAEzdZP8m82pjm+K3pquHW31+XEDDP83VV8Hk+djVZh4w+XcwEKHzrCvTA0ZKj1 FF4p1yxCrNEL/A07NteJlwQNCc11m20ShLET9Kb0K3xczEDIhVsvhrPpPuDw4Z3UDH3c65 Su+I6/5JONMizkDqYiSfwaP46XnigRxyrvfhON8WXVkmmfn+QOyE9EER+DZVlA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.41 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 9B3BF150D6 X-Spam-Score: -1.41 X-Migadu-Scanner: scn0.migadu.com X-TUID: Z0Cy7o9rle0Z --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Consider this file as if it were a patch you=E2=80=99re reviewing: --=-=-= Content-Type: text/plain Content-Disposition: inline; filename=content-addressed.scm Content-Description: source (define-module (content-addressed)) (use-modules (guix) (guix build-system gnu) (guix licenses) (gnu packages perl)) (define-public sed (package (name "sed") (version "4.8") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/zed/sed-" version ".tar.gz")) (sha256 (base32 "1yy33kiwrxrwj2nxa4fg15bvmwyghqbs8qwkdvy5phm784f7brjq")))) (build-system gnu-build-system) (synopsis "Stream editor") (native-inputs `(("perl" ,perl))) ;for tests (description "Sed is a non-interactive, text stream editor. It receives a text input from a file or from standard input and it then applies a series of text editing commands to the stream and prints its output to standard output. It is often used for substituting text patterns in a stream. The GNU implementation offers several extensions over the standard utility.") (license gpl3+) (home-page "https://www.gnu.org/software/sed/"))) sed --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable It builds just fine: --8<---------------cut here---------------start------------->8--- $ guix build -f /tmp/content-addressed.scm=20=20 /gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8 $ guix build -f /tmp/content-addressed.scm -S --check -v0 /gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz --8<---------------cut here---------------end--------------->8--- Did you spot a problem? =E2=80=A6 So, what did we just build? --8<---------------cut here---------------start------------->8--- $ ls $(guix build -f /tmp/content-addressed.scm)/bin egrep fgrep grep --8<---------------cut here---------------end--------------->8--- Oh oh! This =E2=80=98sed=E2=80=99 package is giving us =E2=80=98grep=E2=80= =99! How come? The trick is easy: we give a URL that=E2=80=99s actually 404, with the hash= of a file that can be found on Software Heritage (in this case, that of =E2=80=98grep-3.4.tar.xz=E2=80=99). When downloading the source, the autom= atic content-addressed fallback kicks in, and voil=C3=A0: --8<---------------cut here---------------start------------->8--- $ guix build -f /tmp/content-addressed.scm -S --check=20 La jena deriva=C4=B5o estos konstruata: /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv... Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.ta= r.gz >From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz... following redirection to `https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.g= z'... download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz" 404 "N= ot Found" [...] Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.ta= r.gz >From https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7= c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/... downloading from https://archive.softwareheritage.org/api/1/content/sha256:= 58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ ... warning: rewriting hashes in `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-s= ed-4.8.tar.gz'; cross fingers successfully built /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.= gz.drv --8<---------------cut here---------------end--------------->8--- It=E2=80=99s nothing new, it=E2=80=99s what I do when I want to test the do= wnload fallbacks (see also =E2=80=98GUIX_DOWNLOAD_FALLBACK_TEST=E2=80=99 in commit c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it could somehow be abused to have malicious packages pass review. Granted, =E2=80=98guix lint=E2=80=99 immediately flags the issue: --8<---------------cut here---------------start------------->8--- $ guix lint -L /tmp/p sed guix lint: warning: plursenca pak-specifigo 'sed' guix lint: warning: ni elektas sed@4.8 el /tmp/content-addressed.scm:8:2 /tmp/content-addressed.scm:11:11: sed@4.8: all the source URIs are unreacha= ble: /tmp/content-addressed.scm:11:11: sed@4.8: URI https://ftpmirror.gnu.org/gn= u/zed/sed-4.8.tar.gz ne estas alirebla: 404 ("Not Found") /tmp/content-addressed.scm:11:11: sed@4.8: URI ftp://ftp.cs.tu-berlin.de/pu= b/gnu/zed/sed-4.8.tar.gz domajno ne trovita: Nomo a=C5=AD servo ne konatas /tmp/content-addressed.scm:11:11: sed@4.8: URI ftp://ftp.funet.fi/pub/mirro= rs/ftp.gnu.org/gnu/zed/sed-4.8.tar.gz ne estas alirebla: 550 ("Can't change= directory to zed: No such file or directory") /tmp/content-addressed.scm:11:11: sed@4.8: URI http://ftp.gnu.org/pub/gnu/z= ed/sed-4.8.tar.gz ne estas alirebla: 404 ("Not Found") --8<---------------cut here---------------end--------------->8--- Also, just because a URL looks nice and is reachable doesn=E2=80=99t mean t= he source is trustworthy either. An attacker could submit a package for an obscure piece of software that happens to be malware. The difference here is that the trick above would allow targeting a high-impact package. On the plus side, such an attack would be recorded forever in Git history. Also on the plus side, it turns out our origin URLs are currently (unintentionally) limited to ASCII, so I couldn=E2=80=99t write =E2=80=9C/= =E1=B9=A1ed=E2=80=9D in the URL. All in all, it=E2=80=99s probably not as worrisome as it first seems. Howe= ver, it=E2=80=99s worth keeping in mind when reviewing a package. Thoughts? Ludo=E2=80=99. --=-=-=--