Re: Getting started with GWL 0.3.0

[zimoun <zimon.toutoune@gmail.com>]

Hi Konrad,

On Tue, 23 Mar 2021 at 13:57, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:

> Yes, exactly. Like what happened to npm:
>
>   https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/
>
> Apparently this is now called typo-squatting.

And PyPI and.. whatever "store" with no clear policy...

> > typo can have bad surprise.  But at first, you need to trust a channel
> > providing this malware-package, then second  you need to install this
> > malware-package and third make the typo.
>
> The last part comes with zero effort :-)
>
> As for trusting channels and packages, this is not much of an issue
> today, but if Guix ever becomes as popular as Debian is today, then we
> will have plenty of users with no clue about who or what they can trust.

...and you can do the same with any package manager.  For instance,
add an evil channel to your /etc/apt/sources.list, then "apt-get
update" and then you have no guarantee on what you are installing, for
example, "apt-get install git" will install regular Git with a git-pul
typo malware, or even the Git version you get is a malware.

The issue at first is the channel.  There is official channels that
you are trusting and other channels that you cannot trust.  Well, your
concern is about any a suspicious channel, for instance, if I blindly
install the python-paper-foo package then I have no guarantee that
this package also install the malicious 'emasc' binary which is a typo
I often make.

> In the long run, maybe a command spell-checker would be a nice way out.
> Some piece of software that decides, based on my command history,
> whether a command I type is more likely a typo or the intention to run
> some exotic software.

Well, checking at each command invocation could slow Guix, since it is
already not the fastest CLI of West. :-)


Cheers,
simon