Hi, very interesting read.
> However, I'm still thinking about how to attack Guix users. Somebody who > adds an internal channel for their own packages could still be > vulnerable to a dependency confusion attack via a compromised or > manipulated Guix maintainer. The target of the attack could install > packages they believed would be provided by their internal channel but > actually get another package provided upstream. Usually you’d use module imports and variable names inside your channel’s packages. Wouldn’t that defeat this attack? (Depending on Guix’/Guile’s module loading order of course.) What about substitute servers? As far as I understand as soon as they’re authorized they can deliver substitutes for *any* package. Lars
