Comments (8)
fmeum
commented on July 17, 2024
2
I think that we should make the source repository required information: In order to prevent obviously malicious updates, we need to ensure that the download links for a new module version match the original repo.
from bazel-central-registry.
meteorcloudy
commented on July 17, 2024
1
All sounds good, but for license, we probably want to coordinate with @aiuto who is maintaining rules_license. We had a discussion about whether we should declare license in the metadata.json or in the BUILD file with rules_license. I think rules_license was preferred since it can also be integrated with other module extensions that pulls third party dependencies.
from bazel-central-registry.
fmeum
commented on July 17, 2024
1
Another thing which might be interesting to detect malicious update is to splice in the IP address and reverse DNS on that of the uploader. That might be a PII problem though.
A more reliable identifier for this would be the GitHub user ID. Modules could maintain a list of user IDs permitted to update the module.
Before we do anything, we should research other registries and their approaches to security. Doing this right requires a proper top-down design.
from bazel-central-registry.
fmeum
commented on July 17, 2024
There is even a another appealing option the rules_license-based approach could offer: Definining a module-level default license by using a module tag provided by rules_license.
from bazel-central-registry.
aiuto
commented on July 17, 2024
We actually need both. BCR should have a place to hang canonical package name, version, copyright, license, and a few other things. Repository rules and bzlmod should be able to use that to build license() declarations into BUILD files. I'm working on adding the metadata to rules_license currently.
from bazel-central-registry.
aiuto
commented on July 17, 2024
Another thing which might be interesting to detect malicious update is to splice in the IP address and reverse DNS on that of the uploader. That might be a PII problem though.
from bazel-central-registry.
aaliddell
commented on July 17, 2024
Note that trusting based on GitHub URL prefix gives absolutely no guarantees about source provenance, due to all forks of a repo sharing the same internal git state.
For example, this commit is on my fork of the Bazel repo but has not been merged to any branch on the upstream repo: aaliddell/bazel@bd1097d
Using this commit hash I can create a download URL on my fork: https://github.com/aaliddell/bazel/archive/bd1097d166c5ed20456602b4b236f1410b66ab90.zip
However, modifying the URL to use the upstream bazelbuild organisation repo also works: https://github.com/bazelbuild/bazel/archive/bd1097d166c5ed20456602b4b236f1410b66ab90.zip
Using the above method, any arbitrary code committed to a fork may be given a download URL that would pass a basic prefix check. To truly validate that the code has come from the repo in question, you would have to use the GitHub API to check that the commit hash referenced is merged into the master branch on the specified repo. This is just a quirk of how GitHub stores their data to minimise disk usage and fork times.
from bazel-central-registry.
fmeum
commented on July 17, 2024
Note that trusting based on GitHub URL prefix gives absolutely no guarantees about source provenance, due to all forks of a repo sharing the same internal git state.
For example, this commit is on my fork of the Bazel repo but has not been merged to any branch on the upstream repo: aaliddell/bazel@bd1097d
Using this commit hash I can create a download URL on my fork: https://github.com/aaliddell/bazel/archive/bd1097d166c5ed20456602b4b236f1410b66ab90.zip
However, modifying the URL to use the upstream bazelbuild organisation repo also works: https://github.com/bazelbuild/bazel/archive/bd1097d166c5ed20456602b4b236f1410b66ab90.zip
Using the above method, any arbitrary code committed to a fork may be given a download URL that would pass a basic prefix check. To truly validate that the code has come from the repo in question, you would have to use the GitHub API to check that the commit hash referenced is merged into the master branch on the specified repo. This is just a quirk of how GitHub stores their data to minimise disk usage and fork times.
AFAIK (but this should be checked) this is only a problem for /archive/<commit hash>.zip style URLs. The BCR already rejects such URLs in favor of /archive/refs/tags/<tag>.zip, which should only reflect tags created on the repository itself, not a fork.
As I said above, all of this is pretty subtle and should probably go through a proper security design and review process.
from bazel-central-registry.
Related Issues (20)
- [Bug]: missing `yanked_versions` field in `modules/debian_dependency_bazelizer/metadata.json HOT 3
- wanted: [georgeliaw/rules_wheel] HOT 1
- wanted: Open3d
- wanted: Opencv HOT 1
- wanted:Pointcloud Library
- wanted: glfw/glfw HOT 2
- wanted: ocornut/imgui
- [Bug]: dd
- wanted: HDFGroup/hdf5
- wanted: Blosc/c-blosc2 HOT 1
- Add metadata.json JSON Schema validation to CI HOT 1
- wanted: google/copybara HOT 1
- [Bug]: Incorrect version sorting on https://registry.bazel.build/ HOT 2
- wanted: google/fuzztest HOT 1
- wanted: hdl/bazel_rules_hdl
- wanted: google/fuzztest HOT 3
- [Bug]: Bazel reports non-actionable errors when `ctx.download_and_extract(..)` fails with `--experimental_remote_downloader` enabled. HOT 5
- wanted: google/or-tools
- wanted: rules-proto-grpc/rules_proto_grpc HOT 2
- [Bug]: fmt 10.2.1, use of undeclared identifier 'file_buffer' HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bazel-central-registry.