From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id gxJ4F/+FbmFJiwAAgWs5BA (envelope-from ) for ; Tue, 19 Oct 2021 10:46:55 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id ADSvEv+FbmFNGAAA1q6Kng (envelope-from ) for ; Tue, 19 Oct 2021 08:46:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B4B1610729 for ; Tue, 19 Oct 2021 10:46:54 +0200 (CEST) Received: from localhost ([::1]:41196 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mcklo-0001NS-IL for larch@yhetil.org; Tue, 19 Oct 2021 04:46:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46684) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcklH-0001Mw-Qx for guix-devel@gnu.org; Tue, 19 Oct 2021 04:46:20 -0400 Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]:45958) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mcklF-0007sR-UH for guix-devel@gnu.org; Tue, 19 Oct 2021 04:46:19 -0400 Received: by mail-wr1-x434.google.com with SMTP id r10so46271868wra.12 for ; Tue, 19 Oct 2021 01:46:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:in-reply-to:references:date:message-id:mime-version :content-transfer-encoding; bh=L9r292em8nlkcG4LtW7eHjdgMKoyUIlFWrB7ZKUJX40=; b=RCWzIlis52VgKlzu3hUNSBrPB7Cjv3cJ99tuznw083GcHh1NSw8sxAgGe/DuNRtQIs Kmi+VAnkdDzF+kFMmUysYI5fxFiGWwMwWcP0tovkzEIjjA+mzpIDY+CovKoj4Va/Liai dnvgA8/cjUsU1Gq6OIbJ62KjMYvgkDgtCZ3lus3TUpcx6jdjSAYMKMDpYK0ZxQlXvIIB 5eyA8FqqhZDmo2NNKD2xXJFVar6Rnt9F70IScSgoXWbKN+RynWsDSN2cMpSVCNrxhldJ K0ls/9WvM0JSEABwvq7HaAtoqm7/6J+x6mNA1hljGg66uWrigen7GjO9X9/a/E1gvjj3 eGkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=L9r292em8nlkcG4LtW7eHjdgMKoyUIlFWrB7ZKUJX40=; b=Oa1sER3nRf3zehje/8d6ddLeGCrfDKIz2S9/KmCOii4QtFPKU3fTNDtMndk9lslViZ kuvR6hbU0HVE41zq2qNCOr4qLeVP0EwaRdAh1GDA1t8m1D/gNC7CX7P5uR8EP4bSBXnu Wzj9TH6A+JLGfEcbdNiz8UsPc4J6yb5tsC5ZYYz61ZwNTE0uVdPUtEu9Tt3KSCD4k+ay UCgzrcVMOwqoH0e1u7vWTSFxMRX/2m3C6jfpAeATPKxR81/JwubkN/GA+FAV5NwbwkRw UKazQIxPrnaFps4Mu4HFqLUCkhMIPinnjrtPSlc3a2GlfuXn/eBZ0nx6XfgKrr0nqey7 bG+g== X-Gm-Message-State: AOAM530+MZGtgjGPDIxJZB9/8vkVwjGNRfUP2T/T+murS3YDg0C4Wr4I r3nvW6T4tFf1T3LrTGBSdBKeF70yED4= X-Google-Smtp-Source: ABdhPJzK7sXoy7iCV2nykDO6NhedfWG1yJbR8jZMi14iODYZR4LCILYP60Qm5Lr8eL5fKDn9jRQuQA== X-Received: by 2002:adf:b19c:: with SMTP id q28mr42442298wra.348.1634633175329; Tue, 19 Oct 2021 01:46:15 -0700 (PDT) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id n9sm1697127wmq.6.2021.10.19.01.46.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Oct 2021 01:46:15 -0700 (PDT) From: zimoun To: Ludovic =?utf-8?Q?Court=C3=A8s?= , guix-devel@gnu.org Subject: Re: Tricking peer review In-Reply-To: <874k9if7am.fsf@inria.fr> References: <874k9if7am.fsf@inria.fr> Date: Tue, 19 Oct 2021 10:36:55 +0200 Message-ID: <86ee8hfm1k.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::434; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x434.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634633215; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=L9r292em8nlkcG4LtW7eHjdgMKoyUIlFWrB7ZKUJX40=; b=FsqP4j6hkhWMXBRmmsWqKDCv4r9xTYqv/HUbZqo914nzBeYcteWt8MrjswE1a6Mz8VZZ6B 16mG86dvm2K7dDagJjf3wSKm1XRtiPcXVjLqXCIYMsyr6ioWSu8E4oPkB7dU9LfH2itYNM 8EDm7BDsrdt1e9sa6ypFsoK12owGZl+1XBP5Px9/uy8tU4KYlkcrnIl6tEo1kkDHmN4oQF lzIJCj1ARQDgM/r8tAmeEbp0q6mTJRIincaJXWK4SK3+f4xhdZBL5gzbGaxDLcN0utWza3 Sb4rJmq4uGkB0jRClblUS+5/k3GXp3doLdp+wi6zyCPYpw3YVfP78Loh4yZOqQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634633215; a=rsa-sha256; cv=none; b=Jsq2hv6+h1a+Y7eT47Pfg3b7oNMZPhFlEberZD7b0/1zPL9JUlo1L3VTRkxdl10uEXFggi c+R4HyVhRoV04pj9//52xfky8rdH7L4E8mXznRYPOZ1dPHaodfUjqTfgMmYyWttkcfXHG0 l1L/miHWonW3sEQ+PuEvHQOmVlQQSeT+gHLkOOWEGOLsw5SrA1YrRiDm9Ulhur+jacvSxa K2Ylrq59rzXapUu+z/UQAsWwMT/EP1M01FjWPp1FKf55SegXj0+neUusatPCOX12jMwfZ2 x8R2/n/SZD5yTDoobCPdve5xkBxfoq9aK5VMWDCchkLi31KbpT4//g1NyKpmlg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=RCWzIlis; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.13 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=RCWzIlis; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: B4B1610729 X-Spam-Score: -3.13 X-Migadu-Scanner: scn0.migadu.com X-TUID: ytjkPQJGeWMf Hi, On Fri, 15 Oct 2021 at 20:54, Ludovic Court=C3=A8s wrote: > --8<---------------cut here---------------start------------->8--- > $ guix build -f /tmp/content-addressed.scm -S --check=20 > La jena deriva=C4=B5o estos konstruata: > /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv > building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv... > > Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.= tar.gz > From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz... > following redirection to `https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar= .gz'... > download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz" 404 = "Not Found" > > [...] > > Starting download of /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.= tar.gz > From https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41= a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/... > downloading from https://archive.softwareheritage.org/api/1/content/sha25= 6:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/ ... > > warning: rewriting hashes in `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr= -sed-4.8.tar.gz'; cross fingers > successfully built /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.ta= r.gz.drv > --8<---------------cut here---------------end--------------->8--- The message can be even more =E2=80=9Cspottable=E2=80=9D than the URL =E2=80=99archive.softwareheritage.org=E2=80=99 if the vault requires a cook= ing. One will see =C2=ABSWH vault: requested bundle cooking, waiting for completion...=C2=BB or =C2=ABSWH vault: retrying...=C2=BB. Yeah, it is hidden with the option =E2=80=99v0=E2=80=99 but it is the user= =E2=80=99s responsibility to check, IMHO. > It=E2=80=99s nothing new, it=E2=80=99s what I do when I want to test the = download > fallbacks (see also =E2=80=98GUIX_DOWNLOAD_FALLBACK_TEST=E2=80=99 in comm= it > c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it could > somehow be abused to have malicious packages pass review. Yes, it is nothing new. Somehow, it is an issue with any content-addressed system. Here, we need to split the issue depending on the origins: - url-fetch: the attacker has to introduce the tarballs into SWH. There is not so much means, from my understanding: SWH ingests tarballs via loaders, for instance gnu.org or sources.json or debian.org etc. Therefore the attacker has to introduce the malicious code to these platforms. - url-fetch without metadata (as your example), indeed, the reviewer could be abused; mitigated by the fact that =E2=80=9Cguix lint=E2=80=9D = spots the potential issue. - url-fetch with metadata: the attacker have to also corrupt Diasarchive-DB. Otherwise, the tarball returned by SWH will not match the checksum. - svn-fetch, hg-fetch, cvs-fetch: no attack possible, yet. - git-fetch: it is the *real* issue. Because it is easy for the attacker to introduce malicious code into SWH (create a repo on GitHub, click Save, done). Then submit a package using it as you did. It is the same case as url-fetch without metadata but easier for the attacker. It is mitigated by =E2=80=9Cguix lint=E2=80=9D. That=E2=80=99s said, if I am an attacker and I would like to corrupt Guix, = then I would create a fake project mimicking a complex software. For instance, Gmsh is a complex C++ scientific software. The correct URL is and the source at . Then, as an attacker, I buy the domain say gmsh.org and put a malicious code there. Last, I send for inclusion a package using this latter URL. The reviewer would be abused. That=E2=80=99s why more eyes, less issues. :-) =20=20=20 > Also, just because a URL looks nice and is reachable doesn=E2=80=99t mean= the > source is trustworthy either. An attacker could submit a package for an > obscure piece of software that happens to be malware. The difference > here is that the trick above would allow targeting a high-impact > package. I agree. > On the plus side, such an attack would be recorded forever in Git > history. I agree again. :-) > All in all, it=E2=80=99s probably not as worrisome as it first seems. Ho= wever, > it=E2=80=99s worth keeping in mind when reviewing a package. I agree with a minor comment. From my opinion, not enough patches are going via guix-patches and are pushed directly. For instance, the =C2=ABCommit policy=C2=BB section says =C2=ABFor patches = that just add a new package, and a simple one, it=E2=80=99s OK to commit, if you=E2= =80=99re confident (which means you successfully built it in a chroot setup, and have done a reasonable copyright and license auditing).=C2=BB And from my point of view, new packages should *always* go via guix-patches, wait 15 days, then push if no remark. It lets the time for the community to chime in. And if not, it just slows down for 2 weeks. Cheers, simon