On Wed, Feb 10, 2021 at 07:51:23AM +, Christopher Baines wrote:
>
> Ryan Prior writes:
>
> > However, I'm still thinking about how to attack Guix users. Somebody who
> > adds an internal channel for their own packages could still be
> > vulnerable to a dependency confusion attack via a compr
On 2/10/21 2:51 AM, Christopher Baines wrote:
I'm not sure you can escape trusting the collection of channels you're
using. Because channels are code that's expected to interact, I'm not
sure it's easy to target a single package from a specific channel, and
expect that this provides some security
Hi Ryan,
On Wed, 10 Feb 2021 at 00:08, Ryan Prior wrote:
> What comes to my mind is that we should encourage (require?) people to
> specify the channel name a package belongs to, if it's not the "guix"
> channel. So instead of referring to "python-beautifulsoup4" (ambiguous:
> is this from my ch
Ryan Prior writes:
> However, I'm still thinking about how to attack Guix users. Somebody who
> adds an internal channel for their own packages could still be
> vulnerable to a dependency confusion attack via a compromised or
> manipulated Guix maintainer. The target of the attack could install
Hi,
very interesting read.
> However, I'm still thinking about how to attack Guix users. Somebody who
> adds an internal channel for their own packages could still be
> vulnerable to a dependency confusion attack via a compromised or
> manipulated Guix maintainer. The target of the attack could i
Hi Guix! I've been digesting this piece, published hours ago, describing
dependency confusion attacks that revealed severe vulnerabilities at
many major organizations: https://medium.com/@alex.birsan/dependency-
confusion-4a5d60fec610
Guix users already have a few mitigations against this sort of
