[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#60782: Channels and dependency confusion
|
From: |
Simon Tournier |
|
Subject: |
bug#60782: Channels and dependency confusion |
|
Date: |
Mon, 16 Jan 2023 12:18:58 +0100 |
Hi,
On lun., 16 janv. 2023 at 10:00, Ludovic Courtès <ludovic.courtes@inria.fr>
wrote:
>> Well, the assumption for a similar attack using Guix channels is that
>> the user first adds the channel to their channel list. Therefore, they
>> trust what they consider able to be trust. ;-)
>
> Right, users would have to explicitly add the offending channel to their
> channel list in the first place. (And there are many other ways channel
> code could mess up with one’s machine.)
To be precise, the user must add a compromised channel; either
compromised by the packages which this channel offers or either by some
dependencies channel of this very same channel.
For instance, consider the user adds the channel guix-bimsb which
contains this .guix-channel [1] file:
--8<---------------cut here---------------start------------->8---
(channel
(version 0)
(dependencies
(channel
(name guix-past)
(url "https://gitlab.inria.fr/guix-hpc/guix-past";))
(channel
(name guix-science)
(url "https://github.com/guix-science/guix-science.git";))))
--8<---------------cut here---------------end--------------->8---
Here, the user could be compromised if the attacker is able to
compromise guix-past or guix-science. The user who trusts guix-bimsb is
maybe not aware of this recursive dependencies; but because they trust
guix-bimsb in the first place, somehow it means they trust people behind
guix-bimsb to check that guix-past or guix-science is not compromised.
Well, somehow it is a web of trust.
And if all channels are using authentication, then the attack is hard,
no?
1: <https://github.com/BIMSBbioinfo/guix-bimsb/blob/master/.guix-channel>
Cheers,
simon