From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id yFVEDONhwWPDeQEAbAwnHQ (envelope-from ) for ; Fri, 13 Jan 2023 14:51:31 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id +I85DONhwWNuRQAA9RJhRA (envelope-from ) for ; Fri, 13 Jan 2023 14:51:31 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BD0C7D126 for ; Fri, 13 Jan 2023 14:51:30 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pGKRf-0006XS-0P; Fri, 13 Jan 2023 08:50:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pGKRc-0006WJ-PB for bug-guix@gnu.org; Fri, 13 Jan 2023 08:50:08 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pGKRW-0007KW-Mn for bug-guix@gnu.org; Fri, 13 Jan 2023 08:50:08 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pGKRW-00067U-In for bug-guix@gnu.org; Fri, 13 Jan 2023 08:50:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#60782: Channels and dependency confusion Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 13 Jan 2023 13:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 60782 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 60782@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167361776023468 (code B ref -1); Fri, 13 Jan 2023 13:50:02 +0000 Received: (at submit) by debbugs.gnu.org; 13 Jan 2023 13:49:20 +0000 Received: from localhost ([127.0.0.1]:49909 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGKQp-00066S-KZ for submit@debbugs.gnu.org; Fri, 13 Jan 2023 08:49:19 -0500 Received: from lists.gnu.org ([209.51.188.17]:54900) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGKQo-00066I-8Z for submit@debbugs.gnu.org; Fri, 13 Jan 2023 08:49:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pGKQe-0005kP-HH for bug-guix@gnu.org; Fri, 13 Jan 2023 08:49:14 -0500 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pGKQU-0006wm-OX for bug-guix@gnu.org; Fri, 13 Jan 2023 08:49:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=i7RBKoE2w8aJ+3OYbbE91YKjUlXIL2F8nHvHWrZubyw=; b=FA/7SVZE3n32wFvDo3oLmrzGMLXEg/WG+LEyNBCgaUqUW93bEptPD3l9 hgph4ZwyxaNWpyJxut9l5gS6K7HELuMEBiSArXetgWFKLjzK4eQC06BXp mPvt+w3NRAGhtQXu0l3p5gsGtKzWf5n6i4a79BVLThMi2exFgpq57fwce 4=; X-IronPort-AV: E=Sophos;i="5.97,214,1669071600"; d="scan'208";a="87527961" Received: from unknown (HELO ribbon) ([193.50.110.246]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 14:48:54 +0100 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Quartidi 24 =?UTF-8?Q?Niv=C3=B4se?= an 231 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Cuivre X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 13 Jan 2023 14:48:53 +0100 Message-ID: <87r0vybl4q.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=inria.fr header.s=dc header.b="FA/7SVZE"; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=inria.fr (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1673617891; a=rsa-sha256; cv=none; b=XN2lHP96qyMl29Cjg6VSBCRET/oHpMht2U4LOjcWfsAxhdaGngrgk7+d9rVvAU9ejnFb9f rV3aIR9WWIr8hSX0PXWiWxnEXyH53QyTtN/paCpLJ2ZrZZ/Pj37+GGLhSr35BMWDN73hhM vv9YrKsurNsQukLMix8tIQY7RFE8w0RRKOZBtSU09eU1+nuxsEna0Zj79QeaFfxD0d1SsQ DfNYpWddEdyHxV9z9wUzU7CLc4i0tzZYjPUJA+4xstXuLrLw5aApMK6R4Fi7rRFD3sydVU AdSQbH5W36xKHNXuoSLPLvc4+Wo9kcbHaPV9ABS0o7ze47MpJPZ4RUSvZ/aM1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1673617891; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=i7RBKoE2w8aJ+3OYbbE91YKjUlXIL2F8nHvHWrZubyw=; b=t+G/w/P/m08eiYfkmoAfxElHwsOYfjIQlMWXKrpbtVGomaNLpnbr15cF5dmtezbM70IV42 9wG1QqVh0/1CCDaUVbIiWFFFXttV5mLG3UU0XighJ6xwgAjYvuBsLuV64Zk5Y/AWSNFezc XFK+qV5BTyfdK33C0sMMy0VEM3Nxu6BmDvxFLLq+s58l7LD+rJnSDV34N2No76qms2hixy ueMaMMn1l1OzYujsge5c9GJu9ZetnLk+BOyM14nFqYnSOyUqpKIKG3bxOO/nd8Fo1neZdL FRalzI78y1iJYLD926u5ZkdGOhfFO23GenNZztFgUzqh/4rQhrVCAEfYyXY6rQ== X-Migadu-Queue-Id: BD0C7D126 X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=inria.fr header.s=dc header.b="FA/7SVZE"; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=inria.fr (policy=none) X-Migadu-Spam-Score: -0.80 X-Spam-Score: -0.80 X-TUID: /kxsNMrTnmNF In the light of the =E2=80=9Cdependency confusion=E2=80=9D attack on PyTorc= h=C2=B9, one might wonder how such a thing could affect Guix. The threat model is quite different though because the =E2=80=98guix=E2=80=99 channel is peer-reviewe= d and curated whereas PyPI isn=E2=80=99t. Yet, one way to =E2=80=9Ctranslate=E2=80=9D the attack to Guix is by lookin= g at module name clashes, as was suggested on Mastodon=C2=B2. For example, I=E2=80=99m the author of a channel; my packages refer to (@ (= gnu packages guile) guile-3.0), which I expect to be the =E2=80=9Cgenuine=E2=80= =9D Guile provided by the =E2=80=98guix=E2=80=99 channel. What happens if the user p= ulls in an additional channel that also provides (gnu packages guile) with that =E2=80=98guile-3.0=E2=80=99 variable? Nothing, because the =E2=80=98guix=E2=80=99 channel always comes first in t= he module search path (see =E2=80=98%package-module-path=E2=80=99 in (gnu packages)).= Good. Now same scenario, but with references to another channel, for example (@ (past packages boost) boost-1.68) provided by Guix-Past. This time, if the user pulls in an additional channel that also provides (@ (past packages boost) boost-1.68), we do not know which one is going to take precedence. It may go unnoticed though, because =E2=80=98channel-instances->derivation=E2=80=99 calls =E2=80=98profile-deri= vation=E2=80=99, which uses =E2=80=98build-profile=E2=80=99, which calls =E2=80=98union-build=E2=80=99 = with the default file collision policy, which is to warn (the warning only appears in the build log). I think it would be best to error out if multiple channels provide same-named files. Thoughts? Ludo=E2=80=99. =C2=B9 https://pytorch.org/blog/compromised-nightly-dependency/ =C2=B2 https://toot.aquilenet.fr/@Parnikkapore@mastodon.social/109636000975= 651971