Am 04.04.24 um 16:24 schrieb aplanas:
On 2024-04-04 13:55, Ben Greiner wrote:

But what if you also modify the hash in Cargo.lock?

You will see a patch doing that, if not that means that the tgz has been modified.

No, a malicious packager can modify it manually. See below.


This all makes naive attack more evident, but AFAIK I still did not see any idea that will protect us for the kind of attack that XZ suffered, when a rogue maintainer sing compromised upstream tarballs, nor as commented, when a OBS package maintainer decides to add a backdoor in the package.

Atri's, argument from the beginning.

That will be a solution for the OBS case, not for the XZ one.

Atri's argument from the beginning.


Reviews is the only tool that I can see that can help, but it scales so far.

Again, who reviews vendor.tar.xz? I suspect nobody.

As commented, cargo itself. To change the lock file you need to change the original tarball, and it will (maybe) make the package source verifier[1] to fail.

[1] https://en.opensuse.org/openSUSE:Package_source_verification

1. We currently have to work around the service because the fix for the vendor/audit dichotomy is still not released
https://github.com/openSUSE/obs-service-cargo_vendor/issues/69
https://github.com/openSUSE/obs-service-source_validator/pull/129
https://build.opensuse.org/request/show/1164389

The fact that it is till possible to check-in to obs with --no-service and submit requests go through staging shows that this is not thoroughly checked server-side.

2. Not even the cargo vendor service claims reproducibility:
https://github.com/openSUSE/obs-service-cargo_vendor/issues/73

3. Change your "maybe" to "not":


[ben@skylab:…languages:python:jupyter]% osc co python-pycrdt                                                                                 [0]
A    /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt
_service: 100%|###################################################################################################################| Time: 0:00:00
A    /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/_service
pycrdt-0.8.17.tar.xz: 100%|#######################################################################################################| Time: 0:00:00
A    /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/pycrdt-0.8.17.tar.xz
pycrdt.obsinfo: 100%|#############################################################################################################| Time: 0:00:00
A    /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/pycrdt.obsinfo
python-pycrdt.changes: 100%|######################################################################################################| Time: 0:00:00
A    /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/python-pycrdt.changes
python-pycrdt.spec: 100%|#########################################################################################################| Time: 0:00:00
A    /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/python-pycrdt.spec
vendor.tar.xz: 100%|##############################################################################################################| Time: 0:00:00
A    /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:jupyter/python-pycrdt/vendor.tar.xz
At revision 5d545a11aef4b08d50094a7e681ed851.
[ben@skylab:…languages:python:jupyter]% ls                                                                                                   [0]
python-pycrdt
[ben@skylab:…languages:python:jupyter]% cd python-pycrdt                                                                                     [0]
[ben@skylab:…on:jupyter/python-pycrdt]% ls                                                                                                   [0]
pycrdt-0.8.17.tar.xz  pycrdt.obsinfo  python-pycrdt.changes  python-pycrdt.spec  _service  vendor.tar.xz
[ben@skylab:…on:jupyter/python-pycrdt]% tar xf vendor.tar.xz                                                                                 [0]
[ben@skylab:…on:jupyter/python-pycrdt]% rm -r vendor.tar.xz                                                                                  [0]
[ben@skylab:…on:jupyter/python-pycrdt]% echo "Extra totally not-suspicious extra file" > vendor/extrafile.txt                                [0]
[ben@skylab:…on:jupyter/python-pycrdt]% head Cargo.lock                                                                                      [0]
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3

[[package]]
name = "arc-swap"
version = "1.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "69f7f8c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457"

[ben@skylab:…on:jupyter/python-pycrdt]% sed -i s/69f7f8/______/ Cargo.lock                                                                   [0]
[ben@skylab:…on:jupyter/python-pycrdt]% tar cJf vendor.tar.xz Cargo.lock vendor                                                              [0]
[ben@skylab:…on:jupyter/python-pycrdt]% head Cargo.lock                                                                                      [0]
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3

[[package]]
name = "arc-swap"
version = "1.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "______c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457"

[ben@skylab:…on:jupyter/python-pycrdt]% rm Cargo.lock                                                                                        [0]
[ben@skylab:…on:jupyter/python-pycrdt]% osc status                                                                                           [0]
M    vendor.tar.xz
[ben@skylab:…on:jupyter/python-pycrdt]% osc service runall source_validator                                                                  [0]
python-pycrdt: package depends on rust but does not have cargo_audit configured. See https://en.opensuse.org/Packaging_Rust_Software
Rust Source Validator: Failed
Aborting: service call failed:  /usr/lib/obs/service/source_validator --outdir /home/ben/src/osc/home:bnavigator:branches:devel:languages:python:
jupyter/python-pycrdt/tmp_edvo5s_.source_validator.service
[ben@skylab:…on:jupyter/python-pycrdt]% codium _service                                                                                      [0]
[ben@skylab:…on:jupyter/python-pycrdt]% osc diff _service | cat                                                                              [0]
Index: _service
===================================================================
--- _service    (revision 5d545a11aef4b08d50094a7e681ed851)
+++ _service    (working copy)
@@ -18,4 +18,7 @@
     <param name="compression">xz</param>
     <param name="update">true</param>
  </service>
+  <service name="cargo_audit" mode="disabled">
+     <param name="srcdir">pycrdt</param>
+  </service>  
</services>
[ben@skylab:…on:jupyter/python-pycrdt]% osc service runall source_validator                                                                  [0]
[ben@skylab:…on:jupyter/python-pycrdt]% echo $?                                                                                              [0]
0





Of course cargo build/python-maturin now fails because of the invalid checksum in Cargo.toml, but altering an actual vendored package and updating the checksum properly would avoid that:

https://build.opensuse.org/request/show/1164987

The cargo vendoring is only an example. There are other languages and build systems suffering from this, too.

- Ben