From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id WDlMMQKQI2BXRgAA0tVLHw (envelope-from ) for ; Wed, 10 Feb 2021 07:49:22 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id aOTRLAKQI2BDUAAAbx9fmQ (envelope-from ) for ; Wed, 10 Feb 2021 07:49:22 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7AD6A9403E8 for ; Wed, 10 Feb 2021 07:49:22 +0000 (UTC) Received: from localhost ([::1]:59922 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l9kFU-0006S6-9e for larch@yhetil.org; Wed, 10 Feb 2021 02:49:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60228) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l9kEx-0006Rh-5b for guix-devel@gnu.org; Wed, 10 Feb 2021 02:48:47 -0500 Received: from mout-p-202.mailbox.org ([2001:67c:2050::465:202]:46388) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1l9kEu-0000xu-2v for guix-devel@gnu.org; Wed, 10 Feb 2021 02:48:46 -0500 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4DbBhZ3B0LzQjll; Wed, 10 Feb 2021 08:48:30 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6xq.net; s=MBO0001; t=1612943308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fexRdHbRTX04RDbvRAkRg4BxDnScHmGnlsbau2mu628=; b=oIPF49qo/TAUYDAN0JlodC+biHxjUP1SsarPf3ho2bTsKWIu2M9FcARCnBrn1veWg7qUNn 7BShoNchLQTs9/MHo6IWcyrFNeqBdeI9Scl7pPAUTwloV9/9tT7EMBfFckO2Yad7JLD2h5 u8OUmgkyfp16bWhacqhtKPcluoyosqg1W7QysA4H3wZDSjLWbiLwz0joxr/PdZyj7dRSd2 mdorn7n/GLgPgN4ZgkrJnCy/xhMwZHQEV/uN9yTGe54COfCZ8P1cZWrEPkOhuIu+38l4Ha K96OmcOAsyWt20hlnGLnIc+8WQOSz0bsChzJ6kqdKGjLpi+2t9tWR9t55Y5OkA== Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter05.heinlein-hosting.de (spamfilter05.heinlein-hosting.de [80.241.56.123]) (amavisd-new, port 10030) with ESMTP id tFVVrSMGZJZ9; Wed, 10 Feb 2021 08:48:27 +0100 (CET) Date: Wed, 10 Feb 2021 08:48:25 +0100 From: Lars-Dominik Braun To: Ryan Prior Subject: Re: Mitigating "dependency confusion" attacks on Guix users Message-ID: References: <461926c3d053474dd7196c9ed8f59a45b8c9c82f@hey.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <461926c3d053474dd7196c9ed8f59a45b8c9c82f@hey.com> X-MBO-SPAM-Probability: X-Rspamd-Score: -3.89 / 15.00 / 15.00 X-Rspamd-Queue-Id: 89334185F X-Rspamd-UID: da1692 Received-SPF: pass client-ip=2001:67c:2050::465:202; envelope-from=lars@6xq.net; helo=mout-p-202.mailbox.org X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Development of GNU Guix and the GNU System distribution Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -3.06 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=6xq.net header.s=MBO0001 header.b=oIPF49qo; dmarc=pass (policy=none) header.from=6xq.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 7AD6A9403E8 X-Spam-Score: -3.06 X-Migadu-Scanner: scn1.migadu.com X-TUID: wlDcIbp+QxIQ Hi, very interesting read. > However, I'm still thinking about how to attack Guix users. Somebody who > adds an internal channel for their own packages could still be > vulnerable to a dependency confusion attack via a compromised or > manipulated Guix maintainer. The target of the attack could install > packages they believed would be provided by their internal channel but > actually get another package provided upstream. Usually you’d use module imports and variable names inside your channel’s packages. Wouldn’t that defeat this attack? (Depending on Guix’/Guile’s module loading order of course.) What about substitute servers? As far as I understand as soon as they’re authorized they can deliver substitutes for *any* package. Lars