Am 04.04.24 um 16:24 schrieb aplanas:
On 2024-04-04
13:55, Ben Greiner wrote:
But what if you also modify the hash in
Cargo.lock?
You will see a patch doing that, if not that means that the tgz
has been modified.
No, a malicious packager can modify it manually. See below.
This all makes naive attack more
evident, but AFAIK I still did not see any idea that will
protect us for the kind of attack that XZ suffered, when a
rogue maintainer sing compromised upstream tarballs, nor as
commented, when a OBS package maintainer decides to add a
backdoor in the package.
Atri's, argument from the beginning.
That will be a solution for the OBS case, not for the XZ one.
Atri's argument from the beginning.
Reviews is the only tool that I can see
that can help, but it scales so far.
Again, who reviews vendor.tar.xz? I suspect nobody.
As commented, cargo itself. To change the lock file you need to
change the original tarball, and it will (maybe) make the package
source verifier[1] to fail.
[1] https://en.opensuse.org/openSUSE:Package_source_verification
1. We currently have to work around the service because the fix for
the vendor/audit dichotomy is still not released
https://github.com/openSUSE/obs-service-cargo_vendor/issues/69
https://github.com/openSUSE/obs-service-source_validator/pull/129
https://build.opensuse.org/request/show/1164389
The fact that it is till possible to check-in to obs with
--no-service and submit requests go through staging shows that this
is not thoroughly checked server-side.
2. Not even the cargo vendor service claims reproducibility:
https://github.com/openSUSE/obs-service-cargo_vendor/issues/73
3. Change your "maybe" to "not":
[ben@skylab:…languages:python:jupyter]% osc co
python-pycrdt
[0]
A
/home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt
_service:
100%|###################################################################################################################|
Time: 0:00:00
A
/home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/_service
pycrdt-0.8.17.tar.xz:
100%|#######################################################################################################|
Time: 0:00:00
A
/home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/pycrdt-0.8.17.tar.xz
pycrdt.obsinfo:
100%|#############################################################################################################|
Time: 0:00:00
A
/home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/pycrdt.obsinfo
python-pycrdt.changes:
100%|######################################################################################################|
Time: 0:00:00
A
/home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/python-pycrdt.changes
python-pycrdt.spec:
100%|#########################################################################################################|
Time: 0:00:00
A
/home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/python-pycrdt.spec
vendor.tar.xz:
100%|##############################################################################################################|
Time: 0:00:00
A
/home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/vendor.tar.xz
At revision 5d545a11aef4b08d50094a7e681ed851.
[ben@skylab:…languages:python:jupyter]% ls
[0]
python-pycrdt
[ben@skylab:…languages:python:jupyter]% cd
python-pycrdt
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% ls
[0]
pycrdt-0.8.17.tar.xz pycrdt.obsinfo python-pycrdt.changes
python-pycrdt.spec _service vendor.tar.xz
[ben@skylab:…on:jupyter/python-pycrdt]% tar xf
vendor.tar.xz
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% rm -r
vendor.tar.xz
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% echo "Extra
totally not-suspicious extra file" > vendor/extrafile.txt
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% head
Cargo.lock
[0]
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3
[[package]]
name = "arc-swap"
version = "1.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum =
"69f7f8c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457"
[ben@skylab:…on:jupyter/python-pycrdt]% sed -i
s/69f7f8/______/ Cargo.lock
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% tar cJf
vendor.tar.xz Cargo.lock vendor
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% head
Cargo.lock
[0]
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3
[[package]]
name = "arc-swap"
version = "1.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum =
"______c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457"
[ben@skylab:…on:jupyter/python-pycrdt]% rm Cargo.lock
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% osc status
[0]
M vendor.tar.xz
[ben@skylab:…on:jupyter/python-pycrdt]% osc service
runall source_validator
[0]
python-pycrdt: package depends on rust but does not have
cargo_audit configured. See
https://en.opensuse.org/Packaging_Rust_Software
Rust Source Validator: Failed
Aborting: service call failed:
/usr/lib/obs/service/source_validator --outdir
/home/ben/src/osc/home:bnavigator:branches:devel:languages:python:
jupyter/python-pycrdt/tmp_edvo5s_.source_validator.service
[ben@skylab:…on:jupyter/python-pycrdt]% codium
_service
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% osc diff
_service | cat
[0]
Index: _service
===================================================================
--- _service (revision 5d545a11aef4b08d50094a7e681ed851)
+++ _service (working copy)
@@ -18,4 +18,7 @@
<param name="compression">xz</param>
<param name="update">true</param>
</service>
+ <service name="cargo_audit" mode="disabled">
+ <param name="srcdir">pycrdt</param>
+ </service>
</services>
[ben@skylab:…on:jupyter/python-pycrdt]% osc service
runall source_validator
[0]
[ben@skylab:…on:jupyter/python-pycrdt]% echo $?
[0]
0
Of course cargo build/python-maturin now fails because of the
invalid checksum in Cargo.toml, but altering an actual vendored
package and updating the checksum properly would avoid that:
https://build.opensuse.org/request/show/1164987
The cargo vendoring is only an example. There are other languages
and build systems suffering from this, too.
- Ben