justanotheruser has quit [Ping timeout: 244 seconds]
justanotheruser has joined #nixos-security
FRidh has quit [Remote host closed the connection]
FRidh has joined #nixos-security
justanotheruser has quit [Ping timeout: 260 seconds]
justanotheruser has joined #nixos-security
ris has joined #nixos-security
FRidh has quit [Ping timeout: 265 seconds]
FRidh has joined #nixos-security
Freneticks has quit [Quit: WeeChat 2.3]
FRidh has quit [Quit: Konversation terminated!]
kleisli_ has quit [Ping timeout: 240 seconds]
kleisli_ has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]
kleisli_ has quit [Ping timeout: 260 seconds]
justanotheruser has quit [Ping timeout: 244 seconds]
Raito_Bezarius has joined #nixos-security
<Raito_Bezarius>
hi there
<Raito_Bezarius>
I had a quick question regarding nixpkgs security model
<Raito_Bezarius>
If someone comes and adds a malware package which looks a "real package"
<Raito_Bezarius>
what happens?
<Raito_Bezarius>
how much nixpkgs is protected against such attacks?
<Raito_Bezarius>
let's admit he even tries to do a real package, without any malware in it
<Raito_Bezarius>
and then he sends a bump PR
<Raito_Bezarius>
where the new hash points to a malware version
<MichaelRaskin>
Malware or known-vulnerable?
<Raito_Bezarius>
Rather malware
<Raito_Bezarius>
Like I do some soft, then I add a SSH stealing key feature
<MichaelRaskin>
Switching upstream makes people ask for some justification
<Raito_Bezarius>
If it's "a new package" ?
<MichaelRaskin>
If you create a new project with some reasonable functionality to later insert malware in the next bump, _that_ indeed won't be caught
<Raito_Bezarius>
Is there a real threat in practice?
<Raito_Bezarius>
is that *
<MichaelRaskin>
Also, Nixpkgs contains so much half-broken niche software that people hopefully quickly lose the idea that existence of a package is an indication … of anything
<Raito_Bezarius>
:D
<MichaelRaskin>
Maybe it is an indication that it was buildable at least once in the history
<MichaelRaskin>
If you want to mount an attack with a chance of actual impact, the process would probably be different
<MichaelRaskin>
Step 1. Submit PRs fixing real build failures. Ideally one or two daily, for a month. Also build random PRs, test the result and comment on testing results.
<MichaelRaskin>
That gives you quite a bit of reputation even if you do not ask for the commit access yet
<MichaelRaskin>
Step 2. Wait until a high-profile package has an upstream vulnerability.
<MichaelRaskin>
Step 3. Submit a patch that is a part of the upstream fix, but insufficient in isolation, as a full fix.
<MichaelRaskin>
Don't forget about backports, obviously
<Raito_Bezarius>
Thanks MichaelRaskin :)
<Raito_Bezarius>
Makes sense
<MichaelRaskin>
Now I am scared
<gchristensen>
MichaelRaskin: not used to being sensible?
<MichaelRaskin>
Your response is perfectly consistent with a «hm, a nice plan, should try» reaction
<Raito_Bezarius>
:DDDDDD
<Raito_Bezarius>
Well, I had a friend who asked me why this was not feasible
<Raito_Bezarius>
And he even said "I should definitely try", and I said to him to come here ask for permission first :DDDD
<Raito_Bezarius>
But my "makes sense" is more now "I am going to increase my caution level"
<MichaelRaskin>
I think even Debian only tries to keep close track of the highest-impact upstreams
justanotheruser has joined #nixos-security
<infinisil>
But then again, if it's a niche package you could contaminate without people realizing, it's probably so niche that there's almost no benefit to doing it
<infinisil>
Like, Linux is already niche, NixOS even more so, and then add the package nicheness too
<infinisil>
Very high effort for very little benefit
<gchristensen>
unless you happen to know a specific target who uses a niche tool
<infinisil>
(though the nicheness of Linux and NixOS could change over time)
<gchristensen>
(I'd argue it is rapidly becoming less niche)