Am 04.04.24 um 16:24 schrieb aplanas:
On 2024-04-04 13:55, Ben Greiner wrote:
But what if you also modify the hash in Cargo.lock?
You will see a patch doing that, if not that means that the tgz has been modified.
No, a malicious packager can modify it manually. See below.
This all makes naive attack more evident, but AFAIK I still did not see any idea that will protect us for the kind of attack that XZ suffered, when a rogue maintainer sing compromised upstream tarballs, nor as commented, when a OBS package maintainer decides to add a backdoor in the package.
Atri's, argument from the beginning.
That will be a solution for the OBS case, not for the XZ one.
Atri's argument from the beginning.
Reviews is the only tool that I can see that can help, but it scales so far.
Again, who reviews vendor.tar.xz? I suspect nobody.
As commented, cargo itself. To change the lock file you need to change the original tarball, and it will (maybe) make the package source verifier[1] to fail.
[1] https://en.opensuse.org/openSUSE:Package_source_verification
1. We currently have to work around the service because the fix for the vendor/audit dichotomy is still not released https://github.com/openSUSE/obs-service-cargo_vendor/issues/69 https://github.com/openSUSE/obs-service-source_validator/pull/129 https://build.opensuse.org/request/show/1164389 The fact that it is till possible to check-in to obs with --no-service and submit requests go through staging shows that this is not thoroughly checked server-side. 2. Not even the cargo vendor service claims reproducibility: https://github.com/openSUSE/obs-service-cargo_vendor/issues/73 3. Change your "maybe" to "not": [ben@skylab:…languages:python:jupyter]% osc co python-pycrdt [0] A /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt _service: 100%|###################################################################################################################| Time: 0:00:00 A /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/_service pycrdt-0.8.17.tar.xz: 100%|#######################################################################################################| Time: 0:00:00 A /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/pycrdt-0.8.17.tar.xz pycrdt.obsinfo: 100%|#############################################################################################################| Time: 0:00:00 A /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/pycrdt.obsinfo python-pycrdt.changes: 100%|######################################################################################################| Time: 0:00:00 A /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/python-pycrdt.changes python-pycrdt.spec: 100%|#########################################################################################################| Time: 0:00:00 A /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/python-pycrdt.spec vendor.tar.xz: 100%|##############################################################################################################| Time: 0:00:00 A /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/vendor.tar.xz At revision 5d545a11aef4b08d50094a7e681ed851. [ben@skylab:…languages:python:jupyter]% ls [0] python-pycrdt [ben@skylab:…languages:python:jupyter]% cd python-pycrdt [0] [ben@skylab:…on:jupyter/python-pycrdt]% ls [0] pycrdt-0.8.17.tar.xz pycrdt.obsinfo python-pycrdt.changes python-pycrdt.spec _service vendor.tar.xz [ben@skylab:…on:jupyter/python-pycrdt]% tar xf vendor.tar.xz [0] [ben@skylab:…on:jupyter/python-pycrdt]% rm -r vendor.tar.xz [0] [ben@skylab:…on:jupyter/python-pycrdt]% echo "Extra totally not-suspicious extra file" > vendor/extrafile.txt [0] [ben@skylab:…on:jupyter/python-pycrdt]% head Cargo.lock [0] # This file is automatically @generated by Cargo. # It is not intended for manual editing. version = 3 [[package]] name = "arc-swap" version = "1.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "69f7f8c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457" [ben@skylab:…on:jupyter/python-pycrdt]% sed -i s/69f7f8/______/ Cargo.lock [0] [ben@skylab:…on:jupyter/python-pycrdt]% tar cJf vendor.tar.xz Cargo.lock vendor [0] [ben@skylab:…on:jupyter/python-pycrdt]% head Cargo.lock [0] # This file is automatically @generated by Cargo. # It is not intended for manual editing. version = 3 [[package]] name = "arc-swap" version = "1.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "______c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457" [ben@skylab:…on:jupyter/python-pycrdt]% rm Cargo.lock [0] [ben@skylab:…on:jupyter/python-pycrdt]% osc status [0] M vendor.tar.xz [ben@skylab:…on:jupyter/python-pycrdt]% osc service runall source_validator [0] python-pycrdt: package depends on rust but does not have cargo_audit configured. See https://en.opensuse.org/Packaging_Rust_Software Rust Source Validator: Failed Aborting: service call failed: /usr/lib/obs/service/source_validator --outdir /home/ben/src/osc/home:bnavigator:branches:devel:languages:python: jupyter/python-pycrdt/tmp_edvo5s_.source_validator.service [ben@skylab:…on:jupyter/python-pycrdt]% codium _service [0] [ben@skylab:…on:jupyter/python-pycrdt]% osc diff _service | cat [0] Index: _service =================================================================== --- _service (revision 5d545a11aef4b08d50094a7e681ed851) +++ _service (working copy) @@ -18,4 +18,7 @@ <param name="compression">xz</param> <param name="update">true</param> </service> + <service name="cargo_audit" mode="disabled"> + <param name="srcdir">pycrdt</param> + </service> </services> [ben@skylab:…on:jupyter/python-pycrdt]% osc service runall source_validator [0] [ben@skylab:…on:jupyter/python-pycrdt]% echo $? [0] 0 Of course cargo build/python-maturin now fails because of the invalid checksum in Cargo.toml, but altering an actual vendored package and updating the checksum properly would avoid that: https://build.opensuse.org/request/show/1164987 The cargo vendoring is only an example. There are other languages and build systems suffering from this, too. - Ben