From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id WNA3GDwTcWHjKAEAgWs5BA (envelope-from ) for ; Thu, 21 Oct 2021 09:14:04 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id wGTvEzwTcWG2FwAA1q6Kng (envelope-from ) for ; Thu, 21 Oct 2021 07:14:04 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E313FC25A for ; Thu, 21 Oct 2021 09:14:03 +0200 (CEST) Received: from localhost ([::1]:49568 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mdSH4-00037N-OO for larch@yhetil.org; Thu, 21 Oct 2021 03:14:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51840) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdSGq-00036m-Do for guix-devel@gnu.org; Thu, 21 Oct 2021 03:13:48 -0400 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:26224) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdSGl-0001ww-VX for guix-devel@gnu.org; Thu, 21 Oct 2021 03:13:47 -0400 IronPort-HdrOrdr: =?us-ascii?q?A9a23=3A4AVm/Kgb8g2onJIZeKD+VlydpXBQXjgji2hC?= =?us-ascii?q?6mlwRA09TyVXra2TdZMgpGXJYVcqKQodcL+7Sc29qB/nnqKdpLNhWotKPzOWwF?= =?us-ascii?q?dATrsSi7cKqgeIcxEWtNQz6U4KScRD4bPLZ2SSwfyKmTWQIpIH+rC8gcWVrNab?= =?us-ascii?q?9llVCS5rbK9t9B5jCgGHe3cGJjVuNN4BOqPZxMZWzgDQGkg/X4CDKEBAfeTS4/?= =?us-ascii?q?3n/aiHXTc2QyUq9w+KkS6p7rnzCAjd8x8CX1p0oIsKwCz4qCmR3Muej80=3D?= X-IronPort-AV: E=Sophos;i="5.84,326,1620684000"; d="scan'208";a="396612566" Received: from unknown (HELO ribbon) ([193.50.110.110]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Oct 2021 09:12:59 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Leo Famulari Subject: Re: Tricking peer review References: <874k9if7am.fsf@inria.fr> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 30 =?utf-8?Q?Vend=C3=A9miaire?= an 230 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 21 Oct 2021 09:12:58 +0200 In-Reply-To: (Leo Famulari's message of "Wed, 20 Oct 2021 19:09:09 -0400") Message-ID: <87bl3i6ebp.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.104; envelope-from=ludovic.courtes@inria.fr; helo=mail3-relais-sop.national.inria.fr X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634800444; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=0MMGHP+Ftk6DloqiNSCyxtxFEiDZ3ptXyPE1Xhs+KqQ=; b=tGEMEbAj9HayzZB1EIgCRrqjZWpdrWaapAj6byRKeuZ/NSv1txUM/+LconyjQqmiE1sD/4 qUnuQM05B3Y8eEDyDROxu/rKrNjhBQxrFY762ea9ZqkMQ/mQwkFKBkkLfwPXcJ6nCg/eok hCCq3TmK8ukFfUgSzpVg8M4M4fSTUL7aPJ5BlxFYz2CnIDY3AshqCi/Ro78UVMVXfkPHAv 6hSzvMOwhWZf1MHr6aNHxXnSr6GlFPyN+Ou3UhxHEJMQEaM0DM+yFLMkK2Lec9Pi5W6qT+ RQ/WW8C1HWc2zouF1aHhoJ4Sjp0gQ6jDPXZnL2eBy1z16wJfMXUCKkJ71UqwQQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634800444; a=rsa-sha256; cv=none; b=tdR5sHf1Kr0nA01NOPmYEYDbammESZEJQTO27oYQEZUKDnBX9KUXs6soCzz+Z/ATdnzdvq LifXvk1g56IyEy0oeTV8YVo7zg+Qwa+o4ZE7U5wEsRbNHHk6yZflOT91sLKIP7+o2taxOe vwhDtdaY9abt4C9+oRriCd0kI6bWiDH2P5bMmNSrCcwYgdyTe//q45XsUU+yh4080t/xLX Jd8XazW6ScTaEgZ9zAYtiATh3hkQqJ2aO7wA4Yd6Uh4lim7lP0d8LkQn5EOW68PsS5F+Gt er4LZo1ikbBk71qAV2gcfRJb1XbseurV451dwwWZNMGWELq5g+IvHaWd8u7H+Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -0.93 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: E313FC25A X-Spam-Score: -0.93 X-Migadu-Scanner: scn0.migadu.com X-TUID: chz3X0+EEQ2Q Hi, Leo Famulari skribis: > On Fri, Oct 15, 2021 at 08:54:09PM +0200, Ludovic Court=C3=A8s wrote: >> The trick is easy: we give a URL that=E2=80=99s actually 404, with the h= ash of a >> file that can be found on Software Heritage (in this case, that of >> =E2=80=98grep-3.4.tar.xz=E2=80=99). When downloading the source, the au= tomatic >> content-addressed fallback kicks in, and voil=C3=A0: > [...] >> Thoughts? > > It's a real risk... another illustration that our security model trusts > committers implicitly (not saying that's a bad thing or even avoidable). > > In years past I mentioned a similar technique but based on using > old/vulnerable versions of security-critical packages like OpenSSL. The > same approach would have worked since we started using Nix's > content-addressed mirror. Right. Like zimoun wrote, the SWH fallback makes this even more stealthily exploitable. >> It=E2=80=99s nothing new, it=E2=80=99s what I do when I want to test the= download >> fallbacks (see also =E2=80=98GUIX_DOWNLOAD_FALLBACK_TEST=E2=80=99 in com= mit >> c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it could >> somehow be abused to have malicious packages pass review. > > Nice feature! Sorry if this was already suggested, but is it possible to > create an argument to this variable that disallows use of the fallback > mechanisms? I would certainly use that while reviewing and testing my > own patches. Yes, you can do =E2=80=9CGUIX_DOWNLOAD_FALLBACK_TEST=3Dnone=E2=80=9D (added= in bd61d62182bfda4a695757ec66810b28e8e1a6d0). Thanks, Ludo=E2=80=99.