From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id OBy/Gb+hcGGQXQAAgWs5BA (envelope-from ) for ; Thu, 21 Oct 2021 01:09:51 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id WG0bFb+hcGFfMwAAbx9fmQ (envelope-from ) for ; Wed, 20 Oct 2021 23:09:51 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F124D2AF8F for ; Thu, 21 Oct 2021 01:09:50 +0200 (CEST) Received: from localhost ([::1]:59110 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mdKiU-00058S-3B for larch@yhetil.org; Wed, 20 Oct 2021 19:09:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48908) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdKhu-00058A-GS for guix-devel@gnu.org; Wed, 20 Oct 2021 19:09:14 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:57847) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mdKhs-0003Jo-N3 for guix-devel@gnu.org; Wed, 20 Oct 2021 19:09:14 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 87BD45C0279; Wed, 20 Oct 2021 19:09:11 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Wed, 20 Oct 2021 19:09:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=bD9SqF47mNvohjM7XWyT58J2WF1ks/kBIsYemXC2H+U=; b=RgF0abGZv2MH ro/dmQnbjsjJGI00/o6pmwVClDnzbLNgfeUYiTvffLNfUZfczTgojJkH3+cif4YH jqvgDlJjJcfsGfNlKJim78aKuxRB5CbD1/HRwITEqhsdiWbY960VokudR5V5070W 4iHZnmjIc9Wky4kGtqYHPyj8LqFAcOc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=bD9SqF47mNvohjM7XWyT58J2WF1ks/kBIsYemXC2H +U=; b=Pzevi5rKxxNP63bWVsZK1U3rZFlq2QLUi3N4qMW9KrmoeikoS2fZlWDfM mJ0OBz7/Q4r8bIZtu7lLAjkSsSzXl17n7aLXkYFJ2+BVwgbbsTmA1mqni3UOaXbj SaAG4vN69lBVxT5agGxuxWl0v/fxWzS94AMdGlil606phK0STOk0fcCJYaYbngJ3 6m7Au/T9VvHMf78tyffxxh+NQlZbVKDGcCGFFUm1xET4Ypjqk7qhbwi06kg4ltJp RZB6Q67ZOFl9BYprTSOhc9JDgasysZI8JLh6iP42hD3C9gm2LZUU1+/WIylWO7zm SoWq3IQh6DlvcZhMUIgVYdczdIpqg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddvhedgudegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtugfgjgesthekredttddtjeenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepgeejgeeghedtudfgffdutddvffefffejkeffffevffehgedvvdeutdffkeej jeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh gvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 20 Oct 2021 19:09:11 -0400 (EDT) Date: Wed, 20 Oct 2021 19:09:09 -0400 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: Tricking peer review Message-ID: References: <874k9if7am.fsf@inria.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <874k9if7am.fsf@inria.fr> Received-SPF: pass client-ip=66.111.4.27; envelope-from=leo@famulari.name; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634771391; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=bD9SqF47mNvohjM7XWyT58J2WF1ks/kBIsYemXC2H+U=; b=tyEdLzJGrOuC358Byire55y2fNxNwri7bg+93MYTIzAdh64XnlnVAyUq4IOZUKiiliIWXv /TdSdDd7cB3uErqJs37WZFAClp/xYAJdF7d1qPvYfYHi5b+uWEE3erR6sYE15ub+/gycqv EXVkpC/Ty4FyP3DfTEFQoIDfdmxUPrDNhIXOUb7mzhlUbiNkHztooFzB2PDt4EyGWPk4GR kqX9TmGIXCKRo4tvPpyMTW2wqKKKZ+Sw4fXV04vy+IryT4+/ew8OuydBASOd4v3EF5iA/q hzCWYzUIGJFevrf0hk0E7rI7r6uWtulZr1qQ5PgyF+ikb0K3vMaqKWVA8Ml01Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634771391; a=rsa-sha256; cv=none; b=SLhvpsgPbQ4b0yIfC4cbytgPQgL7jo6G0cYKAtXizPGkvI9y+dgjBBm+8zrLzA9rR3s5rq 79Fqmcpu+pNqWX9lnAWatceQrkuOry753zCn411kd0VcU0X2JGDpcmwKNxwDg6IKTmR8vs RfgQu3hrdeilhpzDw61UpVWBy5bqpEfm7COg7eIYQ2f5WVB/JgdDs95rmTOtArdi1XCVlq qDErwtMJiwhf0alXWHUco+/LpJ1iTZ0lKVWH9oxM5aiVf25y4Q+eL9Q2675SzVf+rO+xQq lqyu+ah0Qz/6L8il6tpN/T+zU+vZCIxUtGScYQ9cxHdgOZEGHBhgYBc13iHVig== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b=RgF0abGZ; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=Pzevi5rK; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -4.63 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b=RgF0abGZ; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=Pzevi5rK; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: F124D2AF8F X-Spam-Score: -4.63 X-Migadu-Scanner: scn1.migadu.com X-TUID: RqZGh4cUdeGp On Fri, Oct 15, 2021 at 08:54:09PM +0200, Ludovic Courtès wrote: > The trick is easy: we give a URL that’s actually 404, with the hash of a > file that can be found on Software Heritage (in this case, that of > ‘grep-3.4.tar.xz’). When downloading the source, the automatic > content-addressed fallback kicks in, and voilà: [...] > Thoughts? It's a real risk... another illustration that our security model trusts committers implicitly (not saying that's a bad thing or even avoidable). In years past I mentioned a similar technique but based on using old/vulnerable versions of security-critical packages like OpenSSL. The same approach would have worked since we started using Nix's content-addressed mirror. > It’s nothing new, it’s what I do when I want to test the download > fallbacks (see also ‘GUIX_DOWNLOAD_FALLBACK_TEST’ in commit > c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it could > somehow be abused to have malicious packages pass review. Nice feature! Sorry if this was already suggested, but is it possible to create an argument to this variable that disallows use of the fallback mechanisms? I would certainly use that while reviewing and testing my own patches.