Re: Tricking peer review

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Tricking peer review

From:	Christine Lemmer-Webber
Subject:	Re: Tricking peer review
Date:	Mon, 25 Oct 2021 09:09:13 -0400
User-agent:	mu4e 1.6.6; emacs 27.2

Ludovic Courtès <ludovic.courtes@inria.fr> writes:

> It builds just fine:
>
> $ guix build -f /tmp/content-addressed.scm  
> /gnu/store/lpais26sjwxcyl7y7jqns6f5qrbrnb34-sed-4.8
> $ guix build -f /tmp/content-addressed.scm -S --check -v0
> /gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz
>
>
> Did you spot a problem?
>
> …
>
>
> So, what did we just build?
>
> $ ls $(guix build -f /tmp/content-addressed.scm)/bin
> egrep  fgrep  grep
>
>
> Oh oh!  This ‘sed’ package is giving us ‘grep’!  How come?
>
> The trick is easy: we give a URL that’s actually 404, with the hash of a
> file that can be found on Software Heritage (in this case, that of
> ‘grep-3.4.tar.xz’).  When downloading the source, the automatic
> content-addressed fallback kicks in, and voilà:
>
> $ guix build -f /tmp/content-addressed.scm  -S --check 
> La jena derivaĵo estos konstruata:
>    /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv
> building /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv...
>
> Starting download of 
> /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.tar.gz
>>From https://ftpmirror.gnu.org/gnu/zed/sed-4.8.tar.gz...
> following redirection to 
> `https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz'...
> download failed "https://mirror.cyberbits.eu/gnu/zed/sed-4.8.tar.gz"; 404 "Not 
> Found"
>
> [...]
>
> Starting download of 
> /gnu/store/1mlpazwwa2mi35v7jab5552lm3ssvn6r-sed-4.8.tar.gz
>>From 
>>https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/...
> downloading from 
> https://archive.softwareheritage.org/api/1/content/sha256:58e6751c41a7c25bfc6e9363a41786cff3ba5709cf11d5ad903cf7cce31cc3fb/raw/
>  ...
>
> warning: rewriting hashes in 
> `/gnu/store/mgais6lk92mm8n5kyx70knr11jbwgfhr-sed-4.8.tar.gz'; cross fingers
> successfully built 
> /gnu/store/nq2jdzbv3nh9b1mglan54dcpfz4l7bli-sed-4.8.tar.gz.drv
>
>
> It’s nothing new, it’s what I do when I want to test the download
> fallbacks (see also ‘GUIX_DOWNLOAD_FALLBACK_TEST’ in commit
> c4a7aa82e25503133a1bd33148d17968c899a5f5).  Still, I wonder if it could
> somehow be abused to have malicious packages pass review.

Here's another way to think of it, borrowing from some ocap systems: the
hash is the actual, canonical identifier of this package revision.  The
URL to get the package is merely a "hint" as to where to get it.

Therefore, there can be many other "hints" as to where to get it too,
enabling mirrors to be elevated to the "same" priority as the original
source.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Incentives for review, (continued)
- Re: Tricking peer review, Leo Famulari, 2021/10/20
  - Re: Tricking peer review, Ludovic Courtès, 2021/10/21
- Re: Tricking peer review, Christine Lemmer-Webber <=
  - Re: Tricking peer review, Ludovic Courtès, 2021/10/28

Prev by Date: Re: nnn-service-type for guix home
Next by Date: Re: Preservation of Guix 2021-10-22
Previous by thread: Re: Tricking peer review
Next by thread: Re: Tricking peer review
Index(es):
- Date
- Thread