Re: Mitigating "dependency confusion" attacks on Guix users

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mitigating "dependency confusion" attacks on Guix users

From:	Lars-Dominik Braun
Subject:	Re: Mitigating "dependency confusion" attacks on Guix users
Date:	Wed, 10 Feb 2021 08:48:25 +0100

Hi,

very interesting read.

> However, I'm still thinking about how to attack Guix users. Somebody who
> adds an internal channel for their own packages could still be
> vulnerable to a dependency confusion attack via a compromised or
> manipulated Guix maintainer. The target of the attack could install
> packages they believed would be provided by their internal channel but
> actually get another package provided upstream.
Usually you’d use module imports and variable names inside your
channel’s packages. Wouldn’t that defeat this attack? (Depending on
Guix’/Guile’s module loading order of course.)

What about substitute servers? As far as I understand as soon as they’re
authorized they can deliver substitutes for *any* package.

Lars

[Prev in Thread]

Current Thread

[Next in Thread]

Mitigating "dependency confusion" attacks on Guix users, Ryan Prior, 2021/02/09
- Re: Mitigating "dependency confusion" attacks on Guix users, Lars-Dominik Braun <=
- Re: Mitigating "dependency confusion" attacks on Guix users, Christopher Baines, 2021/02/10
  - Re: Mitigating "dependency confusion" attacks on Guix users, Jonathan Frederickson, 2021/02/10
  - Re: Mitigating "dependency confusion" attacks on Guix users, Efraim Flashner, 2021/02/10
- Re: Mitigating "dependency confusion" attacks on Guix users, zimoun, 2021/02/10

Prev by Date: Re: ZFS on Guix
Next by Date: Re: Mitigating "dependency confusion" attacks on Guix users
Previous by thread: Mitigating "dependency confusion" attacks on Guix users
Next by thread: Re: Mitigating "dependency confusion" attacks on Guix users
Index(es):
- Date
- Thread