From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id iJ97NMf6aWFwKAAAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 16 Oct 2021 00:03:51 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id SMwzMMf6aWFYHQAA1q6Kng
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 15 Oct 2021 22:03:51 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id E1CDC284F8
	for <larch@yhetil.org>; Sat, 16 Oct 2021 00:03:50 +0200 (CEST)
Received: from localhost ([::1]:57806 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1mbVIr-0000dU-VK
	for larch@yhetil.org; Fri, 15 Oct 2021 18:03:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:47602)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <liliana.prikler@gmail.com>)
 id 1mbVIX-0000c7-JN
 for guix-devel@gnu.org; Fri, 15 Oct 2021 18:03:29 -0400
Received: from mail-wm1-x342.google.com ([2a00:1450:4864:20::342]:33724)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <liliana.prikler@gmail.com>)
 id 1mbVIV-0000md-Bg
 for guix-devel@gnu.org; Fri, 15 Oct 2021 18:03:29 -0400
Received: by mail-wm1-x342.google.com with SMTP id
 y16-20020a05600c17d000b0030db7a51ee2so2330575wmo.0
 for <guix-devel@gnu.org>; Fri, 15 Oct 2021 15:03:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:subject:from:to:date:in-reply-to:references:user-agent
 :mime-version:content-transfer-encoding;
 bh=MMqNP30957Y4vNkt1p8dbf31ezMO+cPaY3GJ03FStoM=;
 b=V0137ii4K8CZ70uzLDMrUr9tOjXgDLf3mAZ4bCqvfttCybd/VKewWHGb+pKY30zzj0
 PhdR2LMEOHaghFrX+aNr4rtPSJxofZUx4vGEmr5NZrzF5fMEym1FC3vH+qY5/mVVezOx
 QEQ3itGUE6h4lIrSTsb9GUlatD+LR0YAU0pe1f+52WTJXy7nmQTC3hjWymhd795uTNux
 KV9m1LBtQG7cnS3xqj4fFtxJGk8qyNPkd6wSvCxmRGtJ0gIsARL67o5WzzqJEHthqnSH
 Kv2aDGIr67sgNlInjXJOnXdGylCk06phSFs9gvlKY6IrzP3r6nsLeH8wafZf3bg5A/8f
 CGzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
 :references:user-agent:mime-version:content-transfer-encoding;
 bh=MMqNP30957Y4vNkt1p8dbf31ezMO+cPaY3GJ03FStoM=;
 b=AqohHwR903G/31qKcjXOWgu4W47nTz5TrgUjvqzzz3tXjIpRG7buaSowVoBJmZxsyf
 m/V4weAxlDt9UKw9ALswmgkmyodvnrPEC7FJkoyETATrldQiE0goYN25lS/pR3WzOLRF
 N0tQOR7M8NaskD4JmXVsOsh2UwQcq+uZmvYcp7GWp8WSH+E3oOpcewIKQrSmDVNh20z6
 1WEPCbDiRpCkLJnpHwPk8rGaQgBPSILWz5A6tyeUypNdmYCcyICLoqN41kv7ao4Q3x4t
 SBPJrb+sZqPwH1J4FeYQPeHW4Yd1a5BMd9favt0nZh44ff5mgDevPPIiZJ8vVHvq7i9C
 nDXQ==
X-Gm-Message-State: AOAM531TxgWvzlNM9x4V5aT00N/NIwaTvPbkHIUZS5ymjHuaZ2nP5Ivc
 IRyJb4EwSKjRHg9EX+iJlxk=
X-Google-Smtp-Source: ABdhPJy2c0L7rAZOtPoQB4WIy+NARLi+3unu67AiY7DR0N7ToZQj5NFZziKQPLqOaf8q/6zx96irTQ==
X-Received: by 2002:a1c:2543:: with SMTP id l64mr28095351wml.9.1634335403993; 
 Fri, 15 Oct 2021 15:03:23 -0700 (PDT)
Received: from nijino.fritz.box (85-127-52-93.dsl.dynamic.surfer.at.
 [85.127.52.93])
 by smtp.gmail.com with ESMTPSA id a2sm5984308wru.82.2021.10.15.15.03.22
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 15 Oct 2021 15:03:23 -0700 (PDT)
Message-ID: <daa70f61feb91fd0e358c110885ce4b2fc55bd61.camel@gmail.com>
Subject: Re: Tricking peer review
From: Liliana Marie Prikler <liliana.prikler@gmail.com>
To: Ludovic =?ISO-8859-1?Q?Court=E8s?= <ludovic.courtes@inria.fr>, 
 guix-devel@gnu.org
Date: Sat, 16 Oct 2021 00:03:22 +0200
In-Reply-To: <874k9if7am.fsf@inria.fr>
References: <874k9if7am.fsf@inria.fr>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::342;
 envelope-from=liliana.prikler@gmail.com; helo=mail-wm1-x342.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1634335431;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=MMqNP30957Y4vNkt1p8dbf31ezMO+cPaY3GJ03FStoM=;
	b=BOj+6x7XKXzVtPrn1L7xhHShoZibv+rZuXOmUdM+4Dk68vh7TNTszF57ZYd2guPa0gJPpQ
	03/kzoBP/UP+9cNp+89h+fEEEUwT1nale1Pz42mu7ROOmh8PsT+2lu74+ORA8GUDq499s5
	w3+svLpju+Qe2gt8iXxv1gokW8YOTPw/d+x09bbYLHpzRf/rCHOcdnW4drskVmkEiIATHi
	jMwa6sQ2ETbNmQ9VUsj9/bQBDWP/kWUsa4yvvvmLr43FiZHCPXLtqmHC6u/zuSxzJ4DzQr
	MJmVcz89Gwlta6lxH+rFKofPa8TwJbTzTqy7auj9oXvQ24jv5P0V1fn2zbsGRA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634335431; a=rsa-sha256; cv=none;
	b=psmylOlBhpPBNyl2p2Jg0PACocQAalrmaxZbAffrGLyyQHDAWlgMKZibFjQ0Cscp1N8MPp
	NVq224gk1ZLQjHcXld78wcrAiu6wY1p9s1EyRJSdliuKXDpb3O6pRXG1LqiIe+NcuF+tVk
	q8E1eeptvvasZLhOp9utIgqigfb78PcznNNkOJ0/pQS2sb/GWsYMFY/kpUBtaVdVHToAFM
	izDr6Nz5KWp9mK0oWjI+ZA8rdFjz9ESwHfiAjhUYS3rB9bsILTZrkri4DGuuw9xyePasJe
	WWJ4spt1Hh3E3NQPPAdRqY7o68v0xazXrKxvXyhT+/x9DLJ7BUkIr8c2tWzAlw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=V0137ii4;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -3.12
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=V0137ii4;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: E1CDC284F8
X-Spam-Score: -3.12
X-Migadu-Scanner: scn0.migadu.com
X-TUID: zrQdwtPcbrEj

Hi,

Am Freitag, den 15.10.2021, 20:54 +0200 schrieb Ludovic Courtès:
> Hello,
> 
> Consider this file as if it were a patch you’re reviewing:

> (define-module (content-addressed))
> (use-modules (guix)
>              (guix build-system gnu)
>              (guix licenses)
>              (gnu packages perl))
> 
> (define-public sed
>   (package
>    (name "sed")
>    (version "4.8")
>    (source (origin
>             (method url-fetch)
>             (uri (string-append "mirror://gnu/zed/sed-" version
>                                 ".tar.gz"))
To be fair, gnu/zed sounds wonky, but you could try inserting a version
that does not exist (e.g. 1+ the current latest version) and as a
committer thereby bypass review entirely.  However, given that we trust
committers in this aspect, I'd say they should be able to verify both
URI and version field.  This is trivially possible with most schemes
safe for the mirror:// one.
>             (sha256
>              (base32
>               "1yy33kiwrxrwj2nxa4fg15bvmwyghqbs8qwkdvy5phm784f7brjq")
> )))
>    (build-system gnu-build-system)
>    (synopsis "Stream editor")
>    (native-inputs
>     `(("perl" ,perl)))                            ;for tests
>    (description
>     "Sed is a non-interactive, text stream editor.  It receives a
> text
> input from a file or from standard input and it then applies a series
> of text
> editing commands to the stream and prints its output to standard
> output.  It
> is often used for substituting text patterns in a stream.  The GNU
> implementation offers several extensions over the standard utility.")
>    (license gpl3+)
>    (home-page "https://www.gnu.org/software/sed/")))
> 
> sed

> It builds just fine:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix build -f /tmp/content-addressed.scm  
> /gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8
> $ guix build -f /tmp/content-addressed.scm -S --check -v0
> /gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz
> --8<---------------cut here---------------end--------------->8---
> 
> Did you spot a problem?
> 
> …
> 
> 
> So, what did we just build?
> 
> --8<---------------cut here---------------start------------->8---
> $ ls $(guix build -f /tmp/content-addressed.scm)/bin
> egrep  fgrep  grep
> --8<---------------cut here---------------end--------------->8---
> 
> Oh oh!  This ‘sed’ package is giving us ‘grep’!  How come?
> 
> The trick is easy: we give a URL that’s actually 404, with the hash
> of a file that can be found on Software Heritage (in this case, that
> of ‘grep-3.4.tar.xz’).  When downloading the source, the automatic
> content-addressed fallback kicks in, and voilà:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix build -f /tmp/content-addressed.scm  -S --check 
> La jena derivaĵo estos konstruata:
>    /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv
> building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-
> 4.8.tar.gz.drv...
> 
> Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-
> 4.8.tar.gz
> > From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz...
> following redirection to `
> https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz'...
> download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz"
> 404 "Not Found"
> 
> [...]
> 
> Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-
> 4.8.tar.gz
> > From 
> > https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/
> > ...
> downloading from 
> https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/
> ...
> 
> warning: rewriting hashes in
> `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz'; cross
> fingers
> successfully built /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-
> 4.8.tar.gz.drv
> --8<---------------cut here---------------end--------------->8---
> 
> It’s nothing new, it’s what I do when I want to test the download
> fallbacks (see also ‘GUIX_DOWNLOAD_FALLBACK_TEST’ in commit
> c4a7aa82e25503133a1bd33148d17968c899a5f5).  Still, I wonder if it
> could somehow be abused to have malicious packages pass review.
I don't think this is much of a problem for packages where we have
another source of truth (in this case mirrors/archives of sed), but it
does point at a bigger problem when SWH is our only source of truth. 
I.e. when trying to conserve such software for the future, when other
archives might fail and perhaps SHA256 itself might be broken, we can
no longer be sure that the Guix time-machine indeed does what it
promises.

> Also, just because a URL looks nice and is reachable doesn’t mean the
> source is trustworthy either.  An attacker could submit a package for
> an obscure piece of software that happens to be malware.  The
> difference here is that the trick above would allow targeting a high-
> impact package.
Again, less of an issue w.r.t. review because the reviewers can at
review time check that the tarball matches their expectations.  I
personally find "I can't find this source anywhere but on SWH" to be a
perfect reason to reject software in the main Guix channel, though
perhaps that rule is a bit softer in Guix Past.

> On the plus side, such an attack would be recorded forever in Git
> history.
On the minus side, time-machine makes said record a landmine to step
into.

> Also on the plus side, it turns out our origin URLs are currently
> (unintentionally) limited to ASCII, so I couldn’t write “/ṡed” in the
> URL.
Couldn't one circumvent that with percent encoding and a nice enough
file-name, however?

> All in all, it’s probably not as worrisome as it first
> seems.  However, it’s worth keeping in mind when reviewing a package.
> 
> Thoughts?
I agree, that cross-checking “guix download” might be good praxis for
review.  Perhaps in light of this we should extend it to Git/SVN/other
VCS?

Regards,
Liliana