[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mitigating "dependency confusion" attacks on Guix users
From: |
Lars-Dominik Braun |
Subject: |
Re: Mitigating "dependency confusion" attacks on Guix users |
Date: |
Wed, 10 Feb 2021 08:48:25 +0100 |
Hi,
very interesting read.
> However, I'm still thinking about how to attack Guix users. Somebody who
> adds an internal channel for their own packages could still be
> vulnerable to a dependency confusion attack via a compromised or
> manipulated Guix maintainer. The target of the attack could install
> packages they believed would be provided by their internal channel but
> actually get another package provided upstream.
Usually you’d use module imports and variable names inside your
channel’s packages. Wouldn’t that defeat this attack? (Depending on
Guix’/Guile’s module loading order of course.)
What about substitute servers? As far as I understand as soon as they’re
authorized they can deliver substitutes for *any* package.
Lars