From: Ian Eure <ian@retrospec.tv>
To: Juliana Sims <juli@incana.org>
Cc: guix-devel@gnu.org
Subject: Re: Magic Wormhole Package Weirdness/Potential Security Issues?
Date: Fri, 08 Nov 2024 11:09:10 -0800 [thread overview]
Message-ID: <87ed3l35el.fsf@meson> (raw)
In-Reply-To: <0W9NMS.7ID0I9IORJ19@incana.org>
Hi Juliana,
I’ve observed some similar weirdness in the past when I’ve updated
versions. I believe what’s happening is that Guix uses the hash
to look up the file in a content-addressed store (either the local
store or SWH), and is lacking verification that the retrieved
object is the expected one.
— Ian
Juliana Sims <juli@incana.org> writes:
> Hey folks,
>
> I tried to update magic-wormhole today and things went super
> smoothly.
> All I had to do was change the version number.
>
> I didn't even have to change the source hash.
>
> If that strikes you as odd, good! It should!
>
> To cover all my bases, I pk'd the hash produced by `pypi-uri`
> and used
> `guix download` to try to fetch the same file and check its
> hash, only
> to find that `guix download` couldn't find anything at that URL
> or its
> fallbacks.
>
> To test if things were being exceptionally weird, I switched to
> pulling and building from git, and the build failed, expectedly,
> probably because one of the dependencies
> (magic-wormhole-transit-relay) was not the right version, which
> was
> what I had initially expected to happen.
>
> Does anyone know what might be going on here? Given the
> intended
> secure nature of this program, I'm concerned there may be
> something
> malicious happening somewhere along the way. I would love an
> explanation that quiets that concern.
>
> You can look at the current magic-wormhole package source and
> play
> around with it yourself to see what I'm talking about.
>
> Best,
> Juli
>
> PS I was trying to update all three packages in
> magic-wormhole.scm,
> but the transit relay in particular requires later versions of
> twisted
> and autobahn than the other two, which is minorly annoying. I
> know
> twisted can't be updated without rebuilding a bunch of stuff, so
> I
> don't plan to pursue this further for the time being.
next prev parent reply other threads:[~2024-11-08 19:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-08 18:26 Magic Wormhole Package Weirdness/Potential Security Issues? Juliana Sims
2024-11-08 19:09 ` Ian Eure [this message]
2024-11-08 19:18 ` Troy Figiel
2024-11-09 6:41 ` Julien Lepiller
2024-11-10 20:53 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ed3l35el.fsf@meson \
--to=ian@retrospec.tv \
--cc=guix-devel@gnu.org \
--cc=juli@incana.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).