X-Loop: help-debbugs@HIDDEN
Subject: bug#60782: Channels and dependency confusion
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Fri, 13 Jan 2023 13:50:02 +0000
Resent-Message-ID: <handler.60782.B.167361776023468 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 60782
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 60782 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.167361776023468
(code B ref -1); Fri, 13 Jan 2023 13:50:02 +0000
Received: (at submit) by debbugs.gnu.org; 13 Jan 2023 13:49:20 +0000
Received: from localhost ([127.0.0.1]:49909 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1pGKQp-00066S-KZ
for submit <at> debbugs.gnu.org; Fri, 13 Jan 2023 08:49:19 -0500
Received: from lists.gnu.org ([209.51.188.17]:54900)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludovic.courtes@HIDDEN>) id 1pGKQo-00066I-8Z
for submit <at> debbugs.gnu.org; Fri, 13 Jan 2023 08:49:18 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
id 1pGKQe-0005kP-HH
for bug-guix@HIDDEN; Fri, 13 Jan 2023 08:49:14 -0500
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
id 1pGKQU-0006wm-OX
for bug-guix@HIDDEN; Fri, 13 Jan 2023 08:49:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
h=from:to:subject:date:message-id:mime-version:
content-transfer-encoding;
bh=i7RBKoE2w8aJ+3OYbbE91YKjUlXIL2F8nHvHWrZubyw=;
b=FA/7SVZE3n32wFvDo3oLmrzGMLXEg/WG+LEyNBCgaUqUW93bEptPD3l9
hgph4ZwyxaNWpyJxut9l5gS6K7HELuMEBiSArXetgWFKLjzK4eQC06BXp
mPvt+w3NRAGhtQXu0l3p5gsGtKzWf5n6i4a79BVLThMi2exFgpq57fwce 4=;
Authentication-Results: mail2-relais-roc.national.inria.fr;
dkim=none (message not signed) header.i=none;
spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="5.97,214,1669071600"; d="scan'208";a="87527961"
Received: from unknown (HELO ribbon) ([193.50.110.246])
by mail2-relais-roc.national.inria.fr with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 14:48:54 +0100
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Quartidi 24 =?UTF-8?Q?Niv=C3=B4se?= an 231 de la
=?UTF-8?Q?R=C3=A9volution,?= jour du Cuivre
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 13 Jan 2023 14:48:53 +0100
Message-ID: <87r0vybl4q.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=192.134.164.83;
envelope-from=ludovic.courtes@HIDDEN;
helo=mail2-relais-roc.national.inria.fr
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
In the light of the =E2=80=9Cdependency confusion=E2=80=9D attack on PyTorc=
h=C2=B9, one might
wonder how such a thing could affect Guix. The threat model is quite
different though because the =E2=80=98guix=E2=80=99 channel is peer-reviewe=
d and curated
whereas PyPI isn=E2=80=99t.
Yet, one way to =E2=80=9Ctranslate=E2=80=9D the attack to Guix is by lookin=
g at module
name clashes, as was suggested on Mastodon=C2=B2.
For example, I=E2=80=99m the author of a channel; my packages refer to (@ (=
gnu
packages guile) guile-3.0), which I expect to be the =E2=80=9Cgenuine=E2=80=
=9D Guile
provided by the =E2=80=98guix=E2=80=99 channel. What happens if the user p=
ulls in an
additional channel that also provides (gnu packages guile) with that
=E2=80=98guile-3.0=E2=80=99 variable?
Nothing, because the =E2=80=98guix=E2=80=99 channel always comes first in t=
he module
search path (see =E2=80=98%package-module-path=E2=80=99 in (gnu packages)).=
Good.
Now same scenario, but with references to another channel, for example
(@ (past packages boost) boost-1.68) provided by Guix-Past.
This time, if the user pulls in an additional channel that also provides
(@ (past packages boost) boost-1.68), we do not know which one is going
to take precedence. It may go unnoticed though, because
=E2=80=98channel-instances->derivation=E2=80=99 calls =E2=80=98profile-deri=
vation=E2=80=99, which uses
=E2=80=98build-profile=E2=80=99, which calls =E2=80=98union-build=E2=80=99 =
with the default file
collision policy, which is to warn (the warning only appears in the
build log).
I think it would be best to error out if multiple channels provide
same-named files.
Thoughts?
Ludo=E2=80=99.
=C2=B9 https://pytorch.org/blog/compromised-nightly-dependency/
=C2=B2 https://toot.aquilenet.fr/@Parnikkapore@HIDDEN/109636000975=
651971
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN> Subject: bug#60782: Acknowledgement (Channels and dependency confusion) Message-ID: <handler.60782.B.167361776023468.ack <at> debbugs.gnu.org> References: <87r0vybl4q.fsf@HIDDEN> X-Gnu-PR-Message: ack 60782 X-Gnu-PR-Package: guix Reply-To: 60782 <at> debbugs.gnu.org Date: Fri, 13 Jan 2023 13:50:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 60782 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 60782: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D60782 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
Received: (at control) by debbugs.gnu.org; 13 Jan 2023 13:53:38 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 13 08:53:38 2023 Received: from localhost ([127.0.0.1]:49923 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pGKV0-0006DV-Ck for submit <at> debbugs.gnu.org; Fri, 13 Jan 2023 08:53:38 -0500 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:29805) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1pGKUz-0006DA-4w for control <at> debbugs.gnu.org; Fri, 13 Jan 2023 08:53:37 -0500 Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludo@HIDDEN; dmarc=fail (p=none dis=none) d=gnu.org X-IronPort-AV: E=Sophos;i="5.97,214,1669071600"; d="scan'208";a="87528968" Received: from unknown (HELO ribbon) ([193.50.110.246]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 14:53:31 +0100 Date: Fri, 13 Jan 2023 14:53:31 +0100 Message-Id: <87pmbibkx0.fsf@HIDDEN> To: control <at> debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: control message for bug #60782 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) severity 60782 important quit
Received: (at control) by debbugs.gnu.org; 13 Jan 2023 13:53:41 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 13 08:53:41 2023 Received: from localhost ([127.0.0.1]:49925 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pGKV3-0006Df-JL for submit <at> debbugs.gnu.org; Fri, 13 Jan 2023 08:53:41 -0500 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:29805) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1pGKUz-0006DA-Nr for control <at> debbugs.gnu.org; Fri, 13 Jan 2023 08:53:38 -0500 Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludo@HIDDEN; dmarc=fail (p=none dis=none) d=gnu.org X-IronPort-AV: E=Sophos;i="5.97,214,1669071600"; d="scan'208";a="87528984" Received: from unknown (HELO ribbon) ([193.50.110.246]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 14:53:37 +0100 Date: Fri, 13 Jan 2023 14:53:36 +0100 Message-Id: <87o7r2bkwv.fsf@HIDDEN> To: control <at> debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: control message for bug #60782 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) tags 60782 + security quit
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.