Hi, On lun., 16 janv. 2023 at 10:00, Ludovic Courtès <ludovic.cour...@inria.fr> wrote:
>> Well, the assumption for a similar attack using Guix channels is that >> the user first adds the channel to their channel list. Therefore, they >> trust what they consider able to be trust. ;-) > > Right, users would have to explicitly add the offending channel to their > channel list in the first place. (And there are many other ways channel > code could mess up with one’s machine.) To be precise, the user must add a compromised channel; either compromised by the packages which this channel offers or either by some dependencies channel of this very same channel. For instance, consider the user adds the channel guix-bimsb which contains this .guix-channel [1] file: --8<---------------cut here---------------start------------->8--- (channel (version 0) (dependencies (channel (name guix-past) (url "https://gitlab.inria.fr/guix-hpc/guix-past")) (channel (name guix-science) (url "https://github.com/guix-science/guix-science.git")))) --8<---------------cut here---------------end--------------->8--- Here, the user could be compromised if the attacker is able to compromise guix-past or guix-science. The user who trusts guix-bimsb is maybe not aware of this recursive dependencies; but because they trust guix-bimsb in the first place, somehow it means they trust people behind guix-bimsb to check that guix-past or guix-science is not compromised. Well, somehow it is a web of trust. And if all channels are using authentication, then the attack is hard, no? 1: <https://github.com/BIMSBbioinfo/guix-bimsb/blob/master/.guix-channel> Cheers, simon