From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id iJ97NMf6aWFwKAAAgWs5BA (envelope-from ) for ; Sat, 16 Oct 2021 00:03:51 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id SMwzMMf6aWFYHQAA1q6Kng (envelope-from ) for ; Fri, 15 Oct 2021 22:03:51 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E1CDC284F8 for ; Sat, 16 Oct 2021 00:03:50 +0200 (CEST) Received: from localhost ([::1]:57806 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mbVIr-0000dU-VK for larch@yhetil.org; Fri, 15 Oct 2021 18:03:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47602) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mbVIX-0000c7-JN for guix-devel@gnu.org; Fri, 15 Oct 2021 18:03:29 -0400 Received: from mail-wm1-x342.google.com ([2a00:1450:4864:20::342]:33724) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mbVIV-0000md-Bg for guix-devel@gnu.org; Fri, 15 Oct 2021 18:03:29 -0400 Received: by mail-wm1-x342.google.com with SMTP id y16-20020a05600c17d000b0030db7a51ee2so2330575wmo.0 for ; Fri, 15 Oct 2021 15:03:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=MMqNP30957Y4vNkt1p8dbf31ezMO+cPaY3GJ03FStoM=; b=V0137ii4K8CZ70uzLDMrUr9tOjXgDLf3mAZ4bCqvfttCybd/VKewWHGb+pKY30zzj0 PhdR2LMEOHaghFrX+aNr4rtPSJxofZUx4vGEmr5NZrzF5fMEym1FC3vH+qY5/mVVezOx QEQ3itGUE6h4lIrSTsb9GUlatD+LR0YAU0pe1f+52WTJXy7nmQTC3hjWymhd795uTNux KV9m1LBtQG7cnS3xqj4fFtxJGk8qyNPkd6wSvCxmRGtJ0gIsARL67o5WzzqJEHthqnSH Kv2aDGIr67sgNlInjXJOnXdGylCk06phSFs9gvlKY6IrzP3r6nsLeH8wafZf3bg5A/8f CGzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=MMqNP30957Y4vNkt1p8dbf31ezMO+cPaY3GJ03FStoM=; b=AqohHwR903G/31qKcjXOWgu4W47nTz5TrgUjvqzzz3tXjIpRG7buaSowVoBJmZxsyf m/V4weAxlDt9UKw9ALswmgkmyodvnrPEC7FJkoyETATrldQiE0goYN25lS/pR3WzOLRF N0tQOR7M8NaskD4JmXVsOsh2UwQcq+uZmvYcp7GWp8WSH+E3oOpcewIKQrSmDVNh20z6 1WEPCbDiRpCkLJnpHwPk8rGaQgBPSILWz5A6tyeUypNdmYCcyICLoqN41kv7ao4Q3x4t SBPJrb+sZqPwH1J4FeYQPeHW4Yd1a5BMd9favt0nZh44ff5mgDevPPIiZJ8vVHvq7i9C nDXQ== X-Gm-Message-State: AOAM531TxgWvzlNM9x4V5aT00N/NIwaTvPbkHIUZS5ymjHuaZ2nP5Ivc IRyJb4EwSKjRHg9EX+iJlxk= X-Google-Smtp-Source: ABdhPJy2c0L7rAZOtPoQB4WIy+NARLi+3unu67AiY7DR0N7ToZQj5NFZziKQPLqOaf8q/6zx96irTQ== X-Received: by 2002:a1c:2543:: with SMTP id l64mr28095351wml.9.1634335403993; Fri, 15 Oct 2021 15:03:23 -0700 (PDT) Received: from nijino.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id a2sm5984308wru.82.2021.10.15.15.03.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Oct 2021 15:03:23 -0700 (PDT) Message-ID: Subject: Re: Tricking peer review From: Liliana Marie Prikler To: Ludovic =?ISO-8859-1?Q?Court=E8s?= , guix-devel@gnu.org Date: Sat, 16 Oct 2021 00:03:22 +0200 In-Reply-To: <874k9if7am.fsf@inria.fr> References: <874k9if7am.fsf@inria.fr> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::342; envelope-from=liliana.prikler@gmail.com; helo=mail-wm1-x342.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634335431; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=MMqNP30957Y4vNkt1p8dbf31ezMO+cPaY3GJ03FStoM=; b=BOj+6x7XKXzVtPrn1L7xhHShoZibv+rZuXOmUdM+4Dk68vh7TNTszF57ZYd2guPa0gJPpQ 03/kzoBP/UP+9cNp+89h+fEEEUwT1nale1Pz42mu7ROOmh8PsT+2lu74+ORA8GUDq499s5 w3+svLpju+Qe2gt8iXxv1gokW8YOTPw/d+x09bbYLHpzRf/rCHOcdnW4drskVmkEiIATHi jMwa6sQ2ETbNmQ9VUsj9/bQBDWP/kWUsa4yvvvmLr43FiZHCPXLtqmHC6u/zuSxzJ4DzQr MJmVcz89Gwlta6lxH+rFKofPa8TwJbTzTqy7auj9oXvQ24jv5P0V1fn2zbsGRA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634335431; a=rsa-sha256; cv=none; b=psmylOlBhpPBNyl2p2Jg0PACocQAalrmaxZbAffrGLyyQHDAWlgMKZibFjQ0Cscp1N8MPp NVq224gk1ZLQjHcXld78wcrAiu6wY1p9s1EyRJSdliuKXDpb3O6pRXG1LqiIe+NcuF+tVk q8E1eeptvvasZLhOp9utIgqigfb78PcznNNkOJ0/pQS2sb/GWsYMFY/kpUBtaVdVHToAFM izDr6Nz5KWp9mK0oWjI+ZA8rdFjz9ESwHfiAjhUYS3rB9bsILTZrkri4DGuuw9xyePasJe WWJ4spt1Hh3E3NQPPAdRqY7o68v0xazXrKxvXyhT+/x9DLJ7BUkIr8c2tWzAlw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=V0137ii4; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=V0137ii4; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: E1CDC284F8 X-Spam-Score: -3.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: zrQdwtPcbrEj Hi, Am Freitag, den 15.10.2021, 20:54 +0200 schrieb Ludovic Courtès: > Hello, > > Consider this file as if it were a patch you’re reviewing: > (define-module (content-addressed)) > (use-modules (guix) > (guix build-system gnu) > (guix licenses) > (gnu packages perl)) > > (define-public sed > (package > (name "sed") > (version "4.8") > (source (origin > (method url-fetch) > (uri (string-append "mirror://gnu/zed/sed-" version > ".tar.gz")) To be fair, gnu/zed sounds wonky, but you could try inserting a version that does not exist (e.g. 1+ the current latest version) and as a committer thereby bypass review entirely. However, given that we trust committers in this aspect, I'd say they should be able to verify both URI and version field. This is trivially possible with most schemes safe for the mirror:// one. > (sha256 > (base32 > "1yy33kiwrxrwj2nxa4fg15bvmwyghqbs8qwkdvy5phm784f7brjq") > ))) > (build-system gnu-build-system) > (synopsis "Stream editor") > (native-inputs > `(("perl" ,perl))) ;for tests > (description > "Sed is a non-interactive, text stream editor. It receives a > text > input from a file or from standard input and it then applies a series > of text > editing commands to the stream and prints its output to standard > output. It > is often used for substituting text patterns in a stream. The GNU > implementation offers several extensions over the standard utility.") > (license gpl3+) > (home-page "https://www.gnu.org/software/sed/"))) > > sed > It builds just fine: > > --8<---------------cut here---------------start------------->8--- > $ guix build -f /tmp/content-addressed.scm > /gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8 > $ guix build -f /tmp/content-addressed.scm -S --check -v0 > /gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz > --8<---------------cut here---------------end--------------->8--- > > Did you spot a problem? > > … > > > So, what did we just build? > > --8<---------------cut here---------------start------------->8--- > $ ls $(guix build -f /tmp/content-addressed.scm)/bin > egrep fgrep grep > --8<---------------cut here---------------end--------------->8--- > > Oh oh! This ‘sed’ package is giving us ‘grep’! How come? > > The trick is easy: we give a URL that’s actually 404, with the hash > of a file that can be found on Software Heritage (in this case, that > of ‘grep-3.4.tar.xz’). When downloading the source, the automatic > content-addressed fallback kicks in, and voilà: > > --8<---------------cut here---------------start------------->8--- > $ guix build -f /tmp/content-addressed.scm -S --check > La jena derivaĵo estos konstruata: > /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv > building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed- > 4.8.tar.gz.drv... > > Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed- > 4.8.tar.gz > > From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz... > following redirection to ` > https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz'... > download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz" > 404 "Not Found" > > [...] > > Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed- > 4.8.tar.gz > > From > > https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ > > ... > downloading from > https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ > ... > > warning: rewriting hashes in > `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz'; cross > fingers > successfully built /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed- > 4.8.tar.gz.drv > --8<---------------cut here---------------end--------------->8--- > > It’s nothing new, it’s what I do when I want to test the download > fallbacks (see also ‘GUIX_DOWNLOAD_FALLBACK_TEST’ in commit > c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it > could somehow be abused to have malicious packages pass review. I don't think this is much of a problem for packages where we have another source of truth (in this case mirrors/archives of sed), but it does point at a bigger problem when SWH is our only source of truth. I.e. when trying to conserve such software for the future, when other archives might fail and perhaps SHA256 itself might be broken, we can no longer be sure that the Guix time-machine indeed does what it promises. > Also, just because a URL looks nice and is reachable doesn’t mean the > source is trustworthy either. An attacker could submit a package for > an obscure piece of software that happens to be malware. The > difference here is that the trick above would allow targeting a high- > impact package. Again, less of an issue w.r.t. review because the reviewers can at review time check that the tarball matches their expectations. I personally find "I can't find this source anywhere but on SWH" to be a perfect reason to reject software in the main Guix channel, though perhaps that rule is a bit softer in Guix Past. > On the plus side, such an attack would be recorded forever in Git > history. On the minus side, time-machine makes said record a landmine to step into. > Also on the plus side, it turns out our origin URLs are currently > (unintentionally) limited to ASCII, so I couldn’t write “/ṡed” in the > URL. Couldn't one circumvent that with percent encoding and a nice enough file-name, however? > All in all, it’s probably not as worrisome as it first > seems. However, it’s worth keeping in mind when reviewing a package. > > Thoughts? I agree, that cross-checking “guix download” might be good praxis for review. Perhaps in light of this we should extend it to Git/SVN/other VCS? Regards, Liliana