From unknown Sat Jul 26 16:40:54 2025 X-Loop: help-debbugs@gnu.org Subject: bug#60782: Channels and dependency confusion Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 13 Jan 2023 13:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 60782 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 60782@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167361776023468 (code B ref -1); Fri, 13 Jan 2023 13:50:02 +0000 Received: (at submit) by debbugs.gnu.org; 13 Jan 2023 13:49:20 +0000 Received: from localhost ([127.0.0.1]:49909 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGKQp-00066S-KZ for submit@debbugs.gnu.org; Fri, 13 Jan 2023 08:49:19 -0500 Received: from lists.gnu.org ([209.51.188.17]:54900) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGKQo-00066I-8Z for submit@debbugs.gnu.org; Fri, 13 Jan 2023 08:49:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pGKQe-0005kP-HH for bug-guix@gnu.org; Fri, 13 Jan 2023 08:49:14 -0500 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pGKQU-0006wm-OX for bug-guix@gnu.org; Fri, 13 Jan 2023 08:49:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=i7RBKoE2w8aJ+3OYbbE91YKjUlXIL2F8nHvHWrZubyw=; b=FA/7SVZE3n32wFvDo3oLmrzGMLXEg/WG+LEyNBCgaUqUW93bEptPD3l9 hgph4ZwyxaNWpyJxut9l5gS6K7HELuMEBiSArXetgWFKLjzK4eQC06BXp mPvt+w3NRAGhtQXu0l3p5gsGtKzWf5n6i4a79BVLThMi2exFgpq57fwce 4=; Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="5.97,214,1669071600"; d="scan'208";a="87527961" Received: from unknown (HELO ribbon) ([193.50.110.246]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 14:48:54 +0100 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Quartidi 24 =?UTF-8?Q?Niv=C3=B4se?= an 231 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Cuivre X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 13 Jan 2023 14:48:53 +0100 Message-ID: <87r0vybl4q.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) In the light of the =E2=80=9Cdependency confusion=E2=80=9D attack on PyTorc= h=C2=B9, one might wonder how such a thing could affect Guix. The threat model is quite different though because the =E2=80=98guix=E2=80=99 channel is peer-reviewe= d and curated whereas PyPI isn=E2=80=99t. Yet, one way to =E2=80=9Ctranslate=E2=80=9D the attack to Guix is by lookin= g at module name clashes, as was suggested on Mastodon=C2=B2. For example, I=E2=80=99m the author of a channel; my packages refer to (@ (= gnu packages guile) guile-3.0), which I expect to be the =E2=80=9Cgenuine=E2=80= =9D Guile provided by the =E2=80=98guix=E2=80=99 channel. What happens if the user p= ulls in an additional channel that also provides (gnu packages guile) with that =E2=80=98guile-3.0=E2=80=99 variable? Nothing, because the =E2=80=98guix=E2=80=99 channel always comes first in t= he module search path (see =E2=80=98%package-module-path=E2=80=99 in (gnu packages)).= Good. Now same scenario, but with references to another channel, for example (@ (past packages boost) boost-1.68) provided by Guix-Past. This time, if the user pulls in an additional channel that also provides (@ (past packages boost) boost-1.68), we do not know which one is going to take precedence. It may go unnoticed though, because =E2=80=98channel-instances->derivation=E2=80=99 calls =E2=80=98profile-deri= vation=E2=80=99, which uses =E2=80=98build-profile=E2=80=99, which calls =E2=80=98union-build=E2=80=99 = with the default file collision policy, which is to warn (the warning only appears in the build log). I think it would be best to error out if multiple channels provide same-named files. Thoughts? Ludo=E2=80=99. =C2=B9 https://pytorch.org/blog/compromised-nightly-dependency/ =C2=B2 https://toot.aquilenet.fr/@Parnikkapore@mastodon.social/109636000975= 651971 From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 13 08:53:38 2023 Received: (at control) by debbugs.gnu.org; 13 Jan 2023 13:53:38 +0000 Received: from localhost ([127.0.0.1]:49923 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGKV0-0006DV-Ck for submit@debbugs.gnu.org; Fri, 13 Jan 2023 08:53:38 -0500 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:29805) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGKUz-0006DA-4w for control@debbugs.gnu.org; Fri, 13 Jan 2023 08:53:37 -0500 Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludo@gnu.org; dmarc=fail (p=none dis=none) d=gnu.org X-IronPort-AV: E=Sophos;i="5.97,214,1669071600"; d="scan'208";a="87528968" Received: from unknown (HELO ribbon) ([193.50.110.246]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 14:53:31 +0100 Date: Fri, 13 Jan 2023 14:53:31 +0100 Message-Id: <87pmbibkx0.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #60782 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) severity 60782 important quit From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 13 08:53:41 2023 Received: (at control) by debbugs.gnu.org; 13 Jan 2023 13:53:41 +0000 Received: from localhost ([127.0.0.1]:49925 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGKV3-0006Df-JL for submit@debbugs.gnu.org; Fri, 13 Jan 2023 08:53:41 -0500 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:29805) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGKUz-0006DA-Nr for control@debbugs.gnu.org; Fri, 13 Jan 2023 08:53:38 -0500 Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludo@gnu.org; dmarc=fail (p=none dis=none) d=gnu.org X-IronPort-AV: E=Sophos;i="5.97,214,1669071600"; d="scan'208";a="87528984" Received: from unknown (HELO ribbon) ([193.50.110.246]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 14:53:37 +0100 Date: Fri, 13 Jan 2023 14:53:36 +0100 Message-Id: <87o7r2bkwv.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #60782 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) tags 60782 + security quit From unknown Sat Jul 26 16:40:54 2025 X-Loop: help-debbugs@gnu.org Subject: bug#60782: Channels and dependency confusion Resent-From: Simon Tournier Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 13 Jan 2023 17:18:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 60782 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 60782@debbugs.gnu.org Received: via spool by 60782-submit@debbugs.gnu.org id=B60782.16736302248439 (code B ref 60782); Fri, 13 Jan 2023 17:18:01 +0000 Received: (at 60782) by debbugs.gnu.org; 13 Jan 2023 17:17:04 +0000 Received: from localhost ([127.0.0.1]:52287 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGNfq-0002Bs-Lg for submit@debbugs.gnu.org; Fri, 13 Jan 2023 12:17:04 -0500 Received: from mail-wr1-f48.google.com ([209.85.221.48]:40903) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pGNfj-0002B5-IM for 60782@debbugs.gnu.org; Fri, 13 Jan 2023 12:16:59 -0500 Received: by mail-wr1-f48.google.com with SMTP id r2so21686697wrv.7 for <60782@debbugs.gnu.org>; Fri, 13 Jan 2023 09:16:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8Bvqqaagw89mV6msUE+wNr2iqou9VS/piQbxYfpdxbw=; b=J5SFVQcdkdsoo8rYOKb+vI0VvhawBRY3qhx86V+xaRqi5v6IK9dU/DnSvMhJY9I34R RhVoDc+S1EUUtu+v8vy60WtKg10vPn4jHZEjVn+mfESwfxV4LtSuXVuIBNswnDRjHBQD ZXn++7WuZhrrNg5R7zQ/W1c7+fFVYGHLOwfS0REDoq7/UJb5iQm/VZZ9VwCTXVS2QnB1 nNjBA9U1h+TVd1LxCHj8FkWLq32tPoWq7QhQlkWX6DW3mSHSeqn7R+N/5HFqBSDmaqBY ovyhD4PghbgwC6H0xRV3k6NIf0F3eVv0y4AWmbqY8Q7IPua1slIiSk8wCEuT+81yBZSe Wbaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:to:from:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=8Bvqqaagw89mV6msUE+wNr2iqou9VS/piQbxYfpdxbw=; b=413DyzNXfCUEmlLKwceB2VFSNqOkai5irEG7S4Xa6L5dAyT/HThj1WjWgtkTHEnFcf Gq+EvWEVnylq721jchlAzMnw+SbSPHwxMd7URPG7K8sTlortOwXW9Acurhhb9celkysc UCrNxfxly3SxPXsxdccDrFZuO9bGz67Xsw23V1rIvzHIiygsaXHevkFb07lP6cKxaZ96 eIEHbZ53y1GXm57mMx+4yw4W2oZ7ST/D6TUI0FPFiJNKPX6VG/5QEY2odo7HTMhOznwx W07eWE7NbIzsZEbVu3+q/topgZh8yJ2jOVXT70O0Noy89UBkUm46btlQ7hWZZczEnG8l RXHg== X-Gm-Message-State: AFqh2kpl9l8Vu60PGrU/c7qASplF+kExXkt1icatWL/FoaldOp09PP1O hjDI/ces7PkJFXgonRsaDMTGU3+9RzM= X-Google-Smtp-Source: AMrXdXsgkdq0ZDAi3QSQqYlZ+U4W7o6XHzm5FCqmeZ+YgOs3ZXhvw73oXPEnoJjA4BNzMrfSVlzvOg== X-Received: by 2002:a5d:4842:0:b0:2bb:62bf:f5cb with SMTP id n2-20020a5d4842000000b002bb62bff5cbmr3542866wrs.4.1673630209851; Fri, 13 Jan 2023 09:16:49 -0800 (PST) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id t6-20020adfe446000000b002bb28209744sm19150946wrm.31.2023.01.13.09.16.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Jan 2023 09:16:49 -0800 (PST) From: Simon Tournier In-Reply-To: <87r0vybl4q.fsf@inria.fr> References: <87r0vybl4q.fsf@inria.fr> Date: Fri, 13 Jan 2023 18:16:41 +0100 Message-ID: <87sfgeuzgm.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, On ven., 13 janv. 2023 at 14:48, Ludovic Court=C3=A8s wrote: > Nothing, because the =E2=80=98guix=E2=80=99 channel always comes first in= the module > search path (see =E2=80=98%package-module-path=E2=80=99 in (gnu packages)= ). Good. > > Now same scenario, but with references to another channel, for example > (@ (past packages boost) boost-1.68) provided by Guix-Past. The PyPI attack used to comprised PyTorch exploits that the PyPI index takes precedence and sadly PyPI is not curated. https://github.com/pypa/pip/issues/8606 Well, the assumption for a similar attack using Guix channels is that the user first adds the channel to their channel list. Therefore, they trust what they consider able to be trust. ;-) > This time, if the user pulls in an additional channel that also provides > (@ (past packages boost) boost-1.68), we do not know which one is going > to take precedence. It may go unnoticed though, because > =E2=80=98channel-instances->derivation=E2=80=99 calls =E2=80=98profile-de= rivation=E2=80=99, which uses > =E2=80=98build-profile=E2=80=99, which calls =E2=80=98union-build=E2=80= =99 with the default file > collision policy, which is to warn (the warning only appears in the > build log). > > I think it would be best to error out if multiple channels provide > same-named files. Yes, it could be a counter-measure. Aside the security risk, it even appears to me sane to error because this collision leads to an undefined behaviour. And such undefined behaviour should be removed; they are never a good thing. Cheers, simon From unknown Sat Jul 26 16:40:54 2025 X-Loop: help-debbugs@gnu.org Subject: bug#60782: Channels and dependency confusion Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 16 Jan 2023 09:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 60782 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Simon Tournier Cc: 60782@debbugs.gnu.org Received: via spool by 60782-submit@debbugs.gnu.org id=B60782.167385961127930 (code B ref 60782); Mon, 16 Jan 2023 09:01:02 +0000 Received: (at 60782) by debbugs.gnu.org; 16 Jan 2023 09:00:11 +0000 Received: from localhost ([127.0.0.1]:60433 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHLLf-0007GP-BE for submit@debbugs.gnu.org; Mon, 16 Jan 2023 04:00:11 -0500 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:64303) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHLLc-0007Em-Oa for 60782@debbugs.gnu.org; Mon, 16 Jan 2023 04:00:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:to:cc:subject:references:date:in-reply-to: message-id:mime-version:content-transfer-encoding; bh=jzQPfqr2Zfk1HU0EFBR1Wcm2fBHQb5+OtrPbkakp2fI=; b=RbxInomd0U/RWxokjAbxhXWr3Ao7EHN1yIywpBDxpH5vvBIuCWJaugRl mbkGu3D73iPlH9i31CjCQghP86Plyq+qnA59Fil9obAx3eo2XrL5B7GiQ Y3KK0LhjsCBh9Kp7xhGfoDDZtRnoBIeYrqXANlqY7S53Q7l/Wfbgm38AP A=; Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludovic.courtes@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr X-IronPort-AV: E=Sophos;i="5.97,220,1669071600"; d="scan'208";a="45129283" Received: from unknown (HELO ribbon) ([193.50.110.246]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 10:00:01 +0100 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87r0vybl4q.fsf@inria.fr> <87sfgeuzgm.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Septidi 27 =?UTF-8?Q?Niv=C3=B4se?= an 231 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Plomb X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 16 Jan 2023 10:00:01 +0100 In-Reply-To: <87sfgeuzgm.fsf@gmail.com> (Simon Tournier's message of "Fri, 13 Jan 2023 18:16:41 +0100") Message-ID: <87cz7e7t2m.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, Simon Tournier skribis: > On ven., 13 janv. 2023 at 14:48, Ludovic Court=C3=A8s wrote: > >> Nothing, because the =E2=80=98guix=E2=80=99 channel always comes first i= n the module >> search path (see =E2=80=98%package-module-path=E2=80=99 in (gnu packages= )). Good. >> >> Now same scenario, but with references to another channel, for example >> (@ (past packages boost) boost-1.68) provided by Guix-Past. > > The PyPI attack used to comprised PyTorch exploits that the PyPI index > takes precedence and sadly PyPI is not curated. > > https://github.com/pypa/pip/issues/8606 > > Well, the assumption for a similar attack using Guix channels is that > the user first adds the channel to their channel list. Therefore, they > trust what they consider able to be trust. ;-) Right, users would have to explicitly add the offending channel to their channel list in the first place. (And there are many other ways channel code could mess up with one=E2=80=99s machine.) >> This time, if the user pulls in an additional channel that also provides >> (@ (past packages boost) boost-1.68), we do not know which one is going >> to take precedence. It may go unnoticed though, because >> =E2=80=98channel-instances->derivation=E2=80=99 calls =E2=80=98profile-d= erivation=E2=80=99, which uses >> =E2=80=98build-profile=E2=80=99, which calls =E2=80=98union-build=E2=80= =99 with the default file >> collision policy, which is to warn (the warning only appears in the >> build log). >> >> I think it would be best to error out if multiple channels provide >> same-named files. > > Yes, it could be a counter-measure. Aside the security risk, it even > appears to me sane to error because this collision leads to an undefined > behaviour. And such undefined behaviour should be removed; they are > never a good thing. +1! Ludo=E2=80=99. From unknown Sat Jul 26 16:40:54 2025 X-Loop: help-debbugs@gnu.org Subject: bug#60782: Channels and dependency confusion Resent-From: Simon Tournier Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 16 Jan 2023 11:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 60782 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 60782@debbugs.gnu.org Received: via spool by 60782-submit@debbugs.gnu.org id=B60782.167386992722117 (code B ref 60782); Mon, 16 Jan 2023 11:53:02 +0000 Received: (at 60782) by debbugs.gnu.org; 16 Jan 2023 11:52:07 +0000 Received: from localhost ([127.0.0.1]:60632 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHO22-0005kX-Lk for submit@debbugs.gnu.org; Mon, 16 Jan 2023 06:52:07 -0500 Received: from mail-wm1-f46.google.com ([209.85.128.46]:43904) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHO1w-0005jL-Ei for 60782@debbugs.gnu.org; Mon, 16 Jan 2023 06:52:00 -0500 Received: by mail-wm1-f46.google.com with SMTP id k22-20020a05600c1c9600b003d1ee3a6289so21950995wms.2 for <60782@debbugs.gnu.org>; Mon, 16 Jan 2023 03:52:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=tndJ7xd+l531lGnQahv7girSh5yY6mqAlegASivYn1o=; b=YdoyRZeJthyFlapmxIqtN1k0lqPCob7rwFx0roGEtYgVdIGpFJUwvppSIQLxhDyq97 OzEy4cO1alXWypPnGnBwUDueIr0/RtXQyANKBHLdMU4MjF8xqbzHVXYPYWJ+sikNdPkV shndbD3rmOCHvjmLbDoU/pNMWOpIAwuYSbl51Jw5iiZG52zKo8Z8SjR51odjgH0ZBP4v LbKrxZ2M/rY2poByJXD9bmNelUl+mJFGBHebzp5fF/8pggSkFk09xkVXwmIP5FgH4gAD rlQMd+vHYU5c4YDABCg//n1PmqruV/BcQtrS6msE3MdLXa2J0ichA9U7G6KuMfkqO2CG cXew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tndJ7xd+l531lGnQahv7girSh5yY6mqAlegASivYn1o=; b=rzZ1vevWfZGaB1E3Lwe0MZ3Zaj13YVLaewqQOxXImBCcl0k8ks+6R2jyRYxOXhCgX6 XdrEa/ncEpZi3Chs58m7yl0r2fsep/drfFPFCGrt6dS+ipGmb54X5ciyI2e5Ji7CjMDM 3ppuyzivwBqCwWQHaOTVhOQ/HMrnfuWbzye/sCNj2RoanYVgmZXErIS+GoCbruU2a0II xh2DX2fiThQnHn/Y83YcA8r41I5CF6BuT5ZLrJNtQ4zxfSqFOXfE0WfbbjWyYw5vQ0TN +pwJC48RuzMZeFQnTUffEAl6m1Qjd0KHK+OVeV0ADo3gQdDUotQXnVos0FR1/38IwCC7 jYOA== X-Gm-Message-State: AFqh2koUuwVNWSB0RgF32w+pdmeaJBp+Ry7KmykIEPIf0SRXyRlq3h7X orttPfgp2DxfNxfNxR/dG8qCWt+EaIo= X-Google-Smtp-Source: AMrXdXsG66fjlIMEsY2SYmWrQUuwSR3tN15ODIBBy06A2MlRx9xuYkQ51Z2P3+z+DFW1+HxfJMUz4A== X-Received: by 2002:a05:600c:348b:b0:3d2:231a:cb30 with SMTP id a11-20020a05600c348b00b003d2231acb30mr19031363wmq.3.1673869914892; Mon, 16 Jan 2023 03:51:54 -0800 (PST) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id bi6-20020a05600c3d8600b003d9df9e59c4sm30662675wmb.37.2023.01.16.03.51.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Jan 2023 03:51:54 -0800 (PST) From: Simon Tournier In-Reply-To: <87cz7e7t2m.fsf@inria.fr> References: <87r0vybl4q.fsf@inria.fr> <87sfgeuzgm.fsf@gmail.com> <87cz7e7t2m.fsf@inria.fr> Date: Mon, 16 Jan 2023 12:18:58 +0100 Message-ID: <874jsqvial.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, On lun., 16 janv. 2023 at 10:00, Ludovic Court=C3=A8s wrote: >> Well, the assumption for a similar attack using Guix channels is that >> the user first adds the channel to their channel list. Therefore, they >> trust what they consider able to be trust. ;-) > > Right, users would have to explicitly add the offending channel to their > channel list in the first place. (And there are many other ways channel > code could mess up with one=E2=80=99s machine.) To be precise, the user must add a compromised channel; either compromised by the packages which this channel offers or either by some dependencies channel of this very same channel. For instance, consider the user adds the channel guix-bimsb which contains this .guix-channel [1] file: --8<---------------cut here---------------start------------->8--- (channel (version 0) (dependencies (channel (name guix-past) (url "https://gitlab.inria.fr/guix-hpc/guix-past")) (channel (name guix-science) (url "https://github.com/guix-science/guix-science.git")))) --8<---------------cut here---------------end--------------->8--- Here, the user could be compromised if the attacker is able to compromise guix-past or guix-science. The user who trusts guix-bimsb is maybe not aware of this recursive dependencies; but because they trust guix-bimsb in the first place, somehow it means they trust people behind guix-bimsb to check that guix-past or guix-science is not compromised. Well, somehow it is a web of trust. And if all channels are using authentication, then the attack is hard, no? 1: Cheers, simon From unknown Sat Jul 26 16:40:54 2025 X-Loop: help-debbugs@gnu.org Subject: bug#60782: Channels and dependency confusion Resent-From: david larsson Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 16 Jan 2023 19:50:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 60782 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: bug-guix-bounces+someone=selfhosted.xyz@gnu.org, 60782@debbugs.gnu.org Received: via spool by 60782-submit@debbugs.gnu.org id=B60782.167389859531038 (code B ref 60782); Mon, 16 Jan 2023 19:50:01 +0000 Received: (at 60782) by debbugs.gnu.org; 16 Jan 2023 19:49:55 +0000 Received: from localhost ([127.0.0.1]:34912 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHVUQ-00084Y-Rv for submit@debbugs.gnu.org; Mon, 16 Jan 2023 14:49:55 -0500 Received: from server0.selfhosted.xyz ([217.64.149.7]:55598) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHVUN-00084K-Pe for 60782@debbugs.gnu.org; Mon, 16 Jan 2023 14:49:53 -0500 Received: from server0.selfhosted.xyz (localhost [127.0.0.1]) by server0.selfhosted.xyz (Postfix) with ESMTP id 3DDE72E5B5B8; Mon, 16 Jan 2023 20:49:40 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfhosted.xyz; s=dkim; t=1673898585; bh=EBZfF0OIHRcYG16uh0rXWw/qqEhTd51k1ex3aGFsOq8=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=IWQPlSuOTf8CXK+g3ou6OdmLoU0fSNGziYZLhDHWypff5nzRU0/tPSMZZx8y7vdbQ +/Pd5B95mxjZ0O6SlJ5ilIVsCpPCjGiHVmNowtNl8V2ZRhXtslcxZ6POBEfk4Qh898 qjTdm6RORt0jjm+wQrqyJbgUewX9N4ouuhCrBKMQSF4EbgOeW2hBZy19n/KdgLgk+p f+z5zTH7OkdYyhvHumEw7scz6+SmLiL5LMsvxNgtgzXhrsyzCOOVWvMVs6WKyQfP1u UQgCuKgqeNh+eN8k6P4Cdv2Wql4wF5meBWJBQHr4Rn1NAn9C0/M376XDsb2i7P1Ybu W+9NgiXiLgpfQ== X-Fuglu-Suspect: d1b74c431b324369ac1dcb2f9004d6bd X-Fuglu-Spamstatus: NO Received: from webmail.selfhosted.xyz (office.selfhosted.xyz [192.168.1.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mail@selfhosted.xyz) by server0.selfhosted.xyz (Postfix) with ESMTPSA; Mon, 16 Jan 2023 20:49:40 +0100 (CET) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 16 Jan 2023 20:49:40 +0100 From: david larsson In-Reply-To: <87r0vybl4q.fsf@inria.fr> References: <87r0vybl4q.fsf@inria.fr> Message-ID: <269d9fff51e61065afb28945795f87e8@selfhosted.xyz> X-Sender: david.larsson@selfhosted.xyz X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) On 2023-01-13 14:48, Ludovic Courtès wrote: [..] > > I think it would be best to error out if multiple channels provide > same-named files. > > Thoughts? An option to erroring out: how about make it a feature to be able to specify precedence-order, say in the .guix-channel file. For example, that might make it easier to customize files present in guix master by copying them and making modifications. A custom channel might also want to specify the option to disallow a dependent channel to take any precedence. Best regards, David