From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id iKvsDG8SxWOgfgEAbAwnHQ (envelope-from ) for ; Mon, 16 Jan 2023 10:01:35 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id aCq2DG8SxWPIbwAAauVa8A (envelope-from ) for ; Mon, 16 Jan 2023 10:01:35 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CFE8C20A61 for ; Mon, 16 Jan 2023 10:01:34 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pHLMY-0001rl-DE; Mon, 16 Jan 2023 04:01:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pHLMU-0001qn-Q2 for bug-guix@gnu.org; Mon, 16 Jan 2023 04:01:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pHLMU-0000Ay-GU for bug-guix@gnu.org; Mon, 16 Jan 2023 04:01:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pHLMU-0007Hk-3K for bug-guix@gnu.org; Mon, 16 Jan 2023 04:01:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#60782: Channels and dependency confusion Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 16 Jan 2023 09:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 60782 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Simon Tournier Cc: 60782@debbugs.gnu.org Received: via spool by 60782-submit@debbugs.gnu.org id=B60782.167385961127930 (code B ref 60782); Mon, 16 Jan 2023 09:01:02 +0000 Received: (at 60782) by debbugs.gnu.org; 16 Jan 2023 09:00:11 +0000 Received: from localhost ([127.0.0.1]:60433 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHLLf-0007GP-BE for submit@debbugs.gnu.org; Mon, 16 Jan 2023 04:00:11 -0500 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:64303) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHLLc-0007Em-Oa for 60782@debbugs.gnu.org; Mon, 16 Jan 2023 04:00:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:references:date:in-reply-to: message-id:mime-version:content-transfer-encoding; bh=jzQPfqr2Zfk1HU0EFBR1Wcm2fBHQb5+OtrPbkakp2fI=; b=RbxInomd0U/RWxokjAbxhXWr3Ao7EHN1yIywpBDxpH5vvBIuCWJaugRl mbkGu3D73iPlH9i31CjCQghP86Plyq+qnA59Fil9obAx3eo2XrL5B7GiQ Y3KK0LhjsCBh9Kp7xhGfoDDZtRnoBIeYrqXANlqY7S53Q7l/Wfbgm38AP A=; X-IronPort-AV: E=Sophos;i="5.97,220,1669071600"; d="scan'208";a="45129283" Received: from unknown (HELO ribbon) ([193.50.110.246]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 10:00:01 +0100 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87r0vybl4q.fsf@inria.fr> <87sfgeuzgm.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Septidi 27 =?UTF-8?Q?Niv=C3=B4se?= an 231 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Plomb X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 16 Jan 2023 10:00:01 +0100 In-Reply-To: <87sfgeuzgm.fsf@gmail.com> (Simon Tournier's message of "Fri, 13 Jan 2023 18:16:41 +0100") Message-ID: <87cz7e7t2m.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=inria.fr header.s=dc header.b=RbxInomd; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=inria.fr (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1673859695; a=rsa-sha256; cv=none; b=mF/qRV6+83McuddRND10csp5ZO7kPqQJFxTrNaD+l3vwPSfKhT4ue/lUqU6A8swRqC4Ry1 L3IufCMImoM3acTHXO1R6rcT75zXd6r/dTf40u7YxlofGEc+hGZU22cmS0FSord/v3kMX2 wUZOL7SqI1+jko7d+y/O5Sm2QWsBn4KPeVBvJUTjC/tb5HjUxYB9LBUWCbWcqre1u8hdMF EhADKW131/31xp7VCj46YCYhU4G6z0YIfl5BZo4u7c1PNigtGu7qRad/E0hS3sez0EVG84 7WOaiQiEvEXo8R85NMWul0oY1fCIZdqctgMqXOXWTm25xX8bvg+bM7fymkl3lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1673859695; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=jzQPfqr2Zfk1HU0EFBR1Wcm2fBHQb5+OtrPbkakp2fI=; b=QwTELuFmNiw0rHVkt62S2hGwg5spO4lqWodi/NNHzAc3NpDzdoY0Zze5y6jRmm5OlRAw5P 83E1qSHmvgi80r8jqQIe6njip8BWwrOcx562pSz3R7fCXTQ+tPSSoa226pNDmWLAZ9bths 1HCHOTRnDWh7Cx+GQY6xFvXfw+xcWJ3LT9nrXPejjJsMtPSmI5jrTjtTjXxnrS4ZhQLZbl X4/yfz2b4Z8eWiCSYDQc61DxVZxTp7jtQ5IQtciTexj9JUBcum1uDjaGoGxFlEbAJhXl+e NooxK11HMCYytIWH4FpysYO0DhhpRl1MJJUN0HAAHEdyP5JTgBGgu0nlniD4+g== X-Migadu-Queue-Id: CFE8C20A61 X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=inria.fr header.s=dc header.b=RbxInomd; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=inria.fr (policy=none) X-Migadu-Spam-Score: -2.52 X-Spam-Score: -2.52 X-TUID: gtakK61rRR9w Hello, Simon Tournier skribis: > On ven., 13 janv. 2023 at 14:48, Ludovic Court=C3=A8s wrote: > >> Nothing, because the =E2=80=98guix=E2=80=99 channel always comes first i= n the module >> search path (see =E2=80=98%package-module-path=E2=80=99 in (gnu packages= )). Good. >> >> Now same scenario, but with references to another channel, for example >> (@ (past packages boost) boost-1.68) provided by Guix-Past. > > The PyPI attack used to comprised PyTorch exploits that the PyPI index > takes precedence and sadly PyPI is not curated. > > https://github.com/pypa/pip/issues/8606 > > Well, the assumption for a similar attack using Guix channels is that > the user first adds the channel to their channel list. Therefore, they > trust what they consider able to be trust. ;-) Right, users would have to explicitly add the offending channel to their channel list in the first place. (And there are many other ways channel code could mess up with one=E2=80=99s machine.) >> This time, if the user pulls in an additional channel that also provides >> (@ (past packages boost) boost-1.68), we do not know which one is going >> to take precedence. It may go unnoticed though, because >> =E2=80=98channel-instances->derivation=E2=80=99 calls =E2=80=98profile-d= erivation=E2=80=99, which uses >> =E2=80=98build-profile=E2=80=99, which calls =E2=80=98union-build=E2=80= =99 with the default file >> collision policy, which is to warn (the warning only appears in the >> build log). >> >> I think it would be best to error out if multiple channels provide >> same-named files. > > Yes, it could be a counter-measure. Aside the security risk, it even > appears to me sane to error because this collision leads to an undefined > behaviour. And such undefined behaviour should be removed; they are > never a good thing. +1! Ludo=E2=80=99.