[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tricking peer review
From: |
Christine Lemmer-Webber |
Subject: |
Re: Tricking peer review |
Date: |
Mon, 25 Oct 2021 09:09:13 -0400 |
User-agent: |
mu4e 1.6.6; emacs 27.2 |
Ludovic Courtès <ludovic.courtes@inria.fr> writes:
> It builds just fine:
>
> $ guix build -f /tmp/content-addressed.scm
> /gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8
> $ guix build -f /tmp/content-addressed.scm -S --check -v0
> /gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz
>
>
> Did you spot a problem?
>
> …
>
>
> So, what did we just build?
>
> $ ls $(guix build -f /tmp/content-addressed.scm)/bin
> egrep fgrep grep
>
>
> Oh oh! This ‘sed’ package is giving us ‘grep’! How come?
>
> The trick is easy: we give a URL that’s actually 404, with the hash of a
> file that can be found on Software Heritage (in this case, that of
> ‘grep-3.4.tar.xz’). When downloading the source, the automatic
> content-addressed fallback kicks in, and voilà:
>
> $ guix build -f /tmp/content-addressed.scm -S --check
> La jena derivaĵo estos konstruata:
> /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv
> building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv...
>
> Starting download of
> /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.tar.gz
>>From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz...
> following redirection to
> `https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz'...
> download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz" 404 "Not
> Found"
>
> [...]
>
> Starting download of
> /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.tar.gz
>>From
>>https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/...
> downloading from
> https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/
> ...
>
> warning: rewriting hashes in
> `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz'; cross fingers
> successfully built
> /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv
>
>
> It’s nothing new, it’s what I do when I want to test the download
> fallbacks (see also ‘GUIX_DOWNLOAD_FALLBACK_TEST’ in commit
> c4a7aa82e25503133a1bd33148d17968c899a5f5). Still, I wonder if it could
> somehow be abused to have malicious packages pass review.
Here's another way to think of it, borrowing from some ocap systems: the
hash is the actual, canonical identifier of this package revision. The
URL to get the package is merely a "hint" as to where to get it.
Therefore, there can be many other "hints" as to where to get it too,
enabling mirrors to be elevated to the "same" priority as the original
source.
Re: Tricking peer review, Giovanni Biscuolo, 2021/10/20
patches for new packages proper workflow (Re: Tricking peer review), Giovanni Biscuolo, 2021/10/20
Re: Tricking peer review, Leo Famulari, 2021/10/20
Re: Tricking peer review,
Christine Lemmer-Webber <=