[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tricking peer review
|
From: |
Ludovic Courtès |
|
Subject: |
Re: Tricking peer review |
|
Date: |
Mon, 18 Oct 2021 09:34:57 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Moin!
Liliana Marie Prikler <liliana.prikler@gmail.com> skribis:
> Am Freitag, den 15.10.2021, 20:54 +0200 schrieb Ludovic Courtès:
[...]
>> It’s nothing new, it’s what I do when I want to test the download
>> fallbacks (see also ‘GUIX_DOWNLOAD_FALLBACK_TEST’ in commit
>> c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it
>> could somehow be abused to have malicious packages pass review.
> I don't think this is much of a problem for packages where we have
> another source of truth (in this case mirrors/archives of sed), but it
> does point at a bigger problem when SWH is our only source of truth.
> I.e. when trying to conserve such software for the future, when other
> archives might fail and perhaps SHA256 itself might be broken, we can
> no longer be sure that the Guix time-machine indeed does what it
> promises.
At the time a package is committed, its source is normally not
downloaded from SWH—at least that’s what we aim for, and ‘guix lint’
warns against 404 source URLs. So when the package is reviewed and
committed, people can check the origin of the source, verify it against
published signatures when possible, and so on.
>> Also, just because a URL looks nice and is reachable doesn’t mean the
>> source is trustworthy either. An attacker could submit a package for
>> an obscure piece of software that happens to be malware. The
>> difference here is that the trick above would allow targeting a high-
>> impact package.
> Again, less of an issue w.r.t. review because the reviewers can at
> review time check that the tarball matches their expectations. I
> personally find "I can't find this source anywhere but on SWH" to be a
> perfect reason to reject software in the main Guix channel, though
> perhaps that rule is a bit softer in Guix Past.
Right. SWH is a fallback, meaning that, eventually, most source gets
downloaded from there (because the original hosting sites vanish); but
again, at the time of review, source must be available elsewhere.
>> On the plus side, such an attack would be recorded forever in Git
>> history.
> On the minus side, time-machine makes said record a landmine to step
> into.
That’s one way to look at it; the same could be said of unpatched
vulnerabilities found in old versions. It remains that deploying from a
pinned Guix revision has its uses.
[...]
> I agree, that cross-checking “guix download” might be good praxis for
> review.
Reviewing includes at least building the package, thus downloading its
source, and running running ‘guix lint’. So there’s nothing really new
here I guess,
> Perhaps in light of this we should extend it to Git/SVN/other VCS?
Thanks,
Ludo’.
- Re: Tricking peer review, (continued)
- Re: Tricking peer review, Ryan Prior, 2021/10/15
- Re: Tricking peer review, Ludovic Courtès, 2021/10/18
- Re: Tricking peer review, Ryan Prior, 2021/10/18
- Re: Tricking peer review, zimoun, 2021/10/19
- Re: Tricking peer review, Leo Famulari, 2021/10/20
- Re: Tricking peer review, zimoun, 2021/10/21
Re: Tricking peer review, Thiago Jung Bauermann, 2021/10/15
Re: Tricking peer review,
Ludovic Courtès <=
Re: Tricking peer review, zimoun, 2021/10/19
- Re: Tricking peer review, Ludovic Courtès, 2021/10/19
- Re: Tricking peer review, zimoun, 2021/10/19
- Incentives for review, Ludovic Courtès, 2021/10/19
- Re: Incentives for review, zimoun, 2021/10/19
- Re: Incentives for review, Ricardo Wurmus, 2021/10/19
- Re: Incentives for review, Christine Lemmer-Webber, 2021/10/19
- Re: Incentives for review, Joshua Branson, 2021/10/19
- Re: Incentives for review, Ludovic Courtès, 2021/10/21
- Re: Incentives for review, Thiago Jung Bauermann, 2021/10/20