From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 04 12:50:42 2021 Received: (at 50960) by debbugs.gnu.org; 4 Oct 2021 16:50:42 +0000 Received: from localhost ([127.0.0.1]:38219 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXRAn-0003HK-QY for submit@debbugs.gnu.org; Mon, 04 Oct 2021 12:50:42 -0400 Received: from michel.telenet-ops.be ([195.130.137.88]:54586) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXRAl-0003H8-68 for 50960@debbugs.gnu.org; Mon, 04 Oct 2021 12:50:40 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by michel.telenet-ops.be with bizsmtp id 1sqd260020mfAB406sqdY3; Mon, 04 Oct 2021 18:50:37 +0200 Message-ID: <991f4d26de32b3b9c93b1112920f11427a54f4fd.camel@telenet.be> Subject: Re: [bug#50960] [PATCH 00/10] Add 'guix shell' to subsume 'guix environment' From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= , "pelzflorian (Florian Pelz)" Date: Mon, 04 Oct 2021 18:50:27 +0200 In-Reply-To: <87ee91ryg1.fsf@gnu.org> References: <20211002102116.27726-1-ludo@gnu.org> <20211002115958.rzupz4afq7elehq4@pelzflorian.localdomain> <87sfxjzgsv.fsf_-_@gnu.org> <20211002150851.7xa2wdb225dbjtpi@pelzflorian.localdomain> <87ee91ryg1.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-lq18kKTjCTR2BUqN4heP" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1633366237; bh=GHTmoPyPSfyfpWGBHYLfhGhrwwviBu/X3Gocaueg7zU=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=QdHo2GwNlvHKm/dK5MEvTt+pVhfn7LIQLHwVYiXkl1UvuO1Yp4tsun9WxUTrDLisZ cD7a08thf2rkAJIV+qkFpLZ+dI6icsl9SPxRerSRVRQ+NHEi5970NI2DkQ2ShmBYrM 74CNkNljk95SmhnDt+01vQ4jxe9TGHbv4i4MMsx2NLwIO2M4jCqHBB/VW70aHvXbAs BHiX6JfgrDxkbAYazHl8MEBgDc8Jmr+nRAxKzvdInoDfL9GvTaR0O+J4mbffyQuKE/ skfszb39UAJfr+WA8Aa0mUTpZI+Lc3xYGgDAOyXvRwK+pIhKME7UMzlAX9Syw0LI36 8Kgf0MCU71ioA== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 50960 Cc: 50960@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-lq18kKTjCTR2BUqN4heP Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s schreef op ma 04-10-2021 om 10:22 [+0200]: > Hi, >=20 > "pelzflorian (Florian Pelz)" skribis: >=20 > > On Sat, Oct 02, 2021 at 03:40:00PM +0200, Ludovic Court=C3=A8s wrote: > > > "pelzflorian (Florian Pelz)" skribis: > > > > On Sat, Oct 02, 2021 at 12:21:16PM +0200, Ludovic Court=C3=A8s wrot= e: > > > > > 2. =E2=80=98guix shell=E2=80=99, without arguments, loads =E2=80= =98guix.scm=E2=80=99 or =E2=80=98manifest.scm=E2=80=99 > > > > > from the current directory or one of its ancestors. > > > > This however is concerning. Users will not expect guix to execute > > > > arbitrary code. Maybe print a suggestion to maybe --file the file > > > > instead. > > > I think it=E2=80=99s fine as long as, as in the case of =E2=80=98haun= t build=E2=80=99 or =E2=80=98make=E2=80=99 > > > or =E2=80=98git=E2=80=99, it=E2=80=99s properly documented. Also, = =E2=80=98guix shell=E2=80=99 unconditionally > > > writes a message. > >=20 > > Let=E2=80=99s say I have downloaded undesirable code to a file > > /home/florian/Downloads/guix.scm and am hacking on source code in > > /home/florian/Downloads/something/ where I run `guix shell`, but > > /home/florian/Downloads/something/ does not in fact contain a > > guix.scm file. Now I=E2=80=99d have accidentally run the other guix.sc= m. >=20 > Sure, but it=E2=80=99s all under your control; it=E2=80=99s not very diff= erent from > someone knowingly running =E2=80=9Cguix build -f guix.scm=E2=80=9D on an = untrusted file, > is it? Consider the following situation: 1. I browse the web and find some rando's website. It has a link to a "g= uix.scm" to download. 2. I'd like to know how people are using guix, so I tell IceCat to downlo= ad it. IceCat downloads it to ~/Downloads/guix.scm. 3. I forget about the guix.scm and didn't look at it. 4. I download some tarball, verify it (with gpg or something), unpack it, and run "guix shell" without arguments from within the directory (e.g. ~/Downloads/some-source-code). 5. It turns out the tarball didn't actually have a guix.scm, so the ~/Downloads/guix.scm from the rando is loaded. 6. It turns out the rando's guix.scm uploads my secret keys, passwords, all e-mails, installs a keylogger ... Oops! > > Also `make` is typically used without arguments, but a novice `guix > > shell` user might know `guix shell program-a program-b` but is > > surprised when running `guix shell` without arguments in an untrusted > > directory. >=20 > We have the advantage that =E2=80=98guix shell=E2=80=99 is a new command,= so we can > document it from the start as behaving this way without arguments. Sure, this behaviour can be documented, but it's very easy to forget a piec= e of documentation, especially if the behaviour is inconsistent between "guix= environment" and "guix shell", and an attacker only needs an attack to function once. I'd prefer not be constantly kept on my toes, so if "guix shell" will autom= atically load guix.scm in the current directory or parent directories, I think I'll keep using "guix environment" to avoid any opportunities for fatal mistakes= . Greetings, Maximes. --=-lq18kKTjCTR2BUqN4heP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYVsw1BccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7iNvAP9w6uhC55k8rLsfc6FuAyUHJKqw Q+4aU5maKG+kj1U+zQD7BTf7JP1DbslnAKWsTztizW/ALYUzCn15gP4y0KfE/Ao= =WfW1 -----END PGP SIGNATURE----- --=-lq18kKTjCTR2BUqN4heP--