GNU bug report logs - #60782
Channels and dependency confusion

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 13 Jan 2023 13:49:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 13 08:49:20 2023
Received: from localhost ([127.0.0.1]:49909 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pGKQp-00066S-KZ
	for submit <at> debbugs.gnu.org; Fri, 13 Jan 2023 08:49:19 -0500
Received: from lists.gnu.org ([209.51.188.17]:54900)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludovic.courtes@HIDDEN>) id 1pGKQo-00066I-8Z
 for submit <at> debbugs.gnu.org; Fri, 13 Jan 2023 08:49:18 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
 id 1pGKQe-0005kP-HH
 for bug-guix@HIDDEN; Fri, 13 Jan 2023 08:49:14 -0500
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
 id 1pGKQU-0006wm-OX
 for bug-guix@HIDDEN; Fri, 13 Jan 2023 08:49:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
 h=from:to:subject:date:message-id:mime-version:
 content-transfer-encoding;
 bh=i7RBKoE2w8aJ+3OYbbE91YKjUlXIL2F8nHvHWrZubyw=;
 b=FA/7SVZE3n32wFvDo3oLmrzGMLXEg/WG+LEyNBCgaUqUW93bEptPD3l9
 hgph4ZwyxaNWpyJxut9l5gS6K7HELuMEBiSArXetgWFKLjzK4eQC06BXp
 mPvt+w3NRAGhtQXu0l3p5gsGtKzWf5n6i4a79BVLThMi2exFgpq57fwce 4=;
Authentication-Results: mail2-relais-roc.national.inria.fr;
 dkim=none (message not signed) header.i=none;
 spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
 dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="5.97,214,1669071600"; d="scan'208";a="87527961"
Received: from unknown (HELO ribbon) ([193.50.110.246])
 by mail2-relais-roc.national.inria.fr with
 ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 14:48:54 +0100
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludovic.courtes@HIDDEN>
To: bug-guix@HIDDEN
Subject: Channels and dependency confusion
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Quartidi 24 =?utf-8?Q?Niv=C3=B4se?= an 231 de la
 =?utf-8?Q?R=C3=A9volution=2C?= jour du Cuivre
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 13 Jan 2023 14:48:53 +0100
Message-ID: <87r0vybl4q.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=192.134.164.83;
 envelope-from=ludovic.courtes@HIDDEN;
 helo=mail2-relais-roc.national.inria.fr
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

In the light of the =E2=80=9Cdependency confusion=E2=80=9D attack on PyTorc=
h=C2=B9, one might
wonder how such a thing could affect Guix.  The threat model is quite
different though because the =E2=80=98guix=E2=80=99 channel is peer-reviewe=
d and curated
whereas PyPI isn=E2=80=99t.

Yet, one way to =E2=80=9Ctranslate=E2=80=9D the attack to Guix is by lookin=
g at module
name clashes, as was suggested on Mastodon=C2=B2.

For example, I=E2=80=99m the author of a channel; my packages refer to (@ (=
gnu
packages guile) guile-3.0), which I expect to be the =E2=80=9Cgenuine=E2=80=
=9D Guile
provided by the =E2=80=98guix=E2=80=99 channel.  What happens if the user p=
ulls in an
additional channel that also provides (gnu packages guile) with that
=E2=80=98guile-3.0=E2=80=99 variable?

Nothing, because the =E2=80=98guix=E2=80=99 channel always comes first in t=
he module
search path (see =E2=80=98%package-module-path=E2=80=99 in (gnu packages)).=
  Good.

Now same scenario, but with references to another channel, for example
(@ (past packages boost) boost-1.68) provided by Guix-Past.

This time, if the user pulls in an additional channel that also provides
(@ (past packages boost) boost-1.68), we do not know which one is going
to take precedence.  It may go unnoticed though, because
=E2=80=98channel-instances->derivation=E2=80=99 calls =E2=80=98profile-deri=
vation=E2=80=99, which uses
=E2=80=98build-profile=E2=80=99, which calls =E2=80=98union-build=E2=80=99 =
with the default file
collision policy, which is to warn (the warning only appears in the
build log).

I think it would be best to error out if multiple channels provide
same-named files.

Thoughts?

Ludo=E2=80=99.

=C2=B9 https://pytorch.org/blog/compromised-nightly-dependency/
=C2=B2 https://toot.aquilenet.fr/@Parnikkapore@HIDDEN/109636000975=
651971