New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not verify SSL peer when fetching sources #26273
Conversation
More details on |
Also, |
I think we have a larger problem of expectation mismatch… It is sometimes very convenient to just bump the version in the expression and get the hash from the error message. But fetchurl doesn't verify SSL certificates, so this workflow is insecure… |
@7c6f434c Yeah, you are right. This is a troubling issue indeed, although, honestly, I don’t think it is critical. Even if the original author of the expression gets MITMed, others will quickly figure this out. But it would much better if there was a warning or even if the verification was automatically switched all somehow when updating expressions... Not sure how this would work. Do you wanna file a separate issue? :) |
@7c6f434c Yeah, you are right. This is a troubling issue indeed, although, honestly, I don’t think it is critical. Even if the original author of the expression gets MITMed, others will quickly figure this out.
But it would much better if there was a warning or even if the verification was automatically switched all somehow when updating expressions... Not sure how this would work. Do you wanna file a separate issue? :)
Well, nix-prefetch-git is even more annoying to use than
nix-prefetch-url so I decided to comment on the «not needed anyway»
here, mostly so that this statement doesn't get to be written without
the fine print. If I had a _good_ solution I would probably have
committed it already, also not sure what should happen…
|
Strongly opposed to this. I'd rather not give any MITM insight into which specific github repos I'm downloading, thanks. |
@shlevy Can you please submit a negative review so that it is clearly visible? An opposite option would be to modify |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Result integrity is not the only reason to use SSL. We shouldn't expose the specific packages our users download to a clever enough MITM
Why do these have to be system-independent? They're not an impurity by virtue of being fixed output. Also seems like a plausible case for |
It would be impurity in the sense of failure vs. success, not in the sense of getting a different output. |
So is the existing proxy stuff, or the fact of internet connection at all |
IIRC nixos.org is tried first. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree for several reasons:
- Authenticity is just one feature of SSL, the privacy of our users is also paramount.
- Our update strategy is frequently TOFU, or"break the hash then use the fixed one," and I don't want to require a user upstream their packages in order for them to find out their upgrade was pwned.
- cacert is a dependency of the fixed output derivation, which means if cacert changes all fixed outputs don't have to be updated.
I think the upsides here are very minimal, for potentially tragic downsides.
Should we just close this? |
I don't think that most project members and users will agree to this change. |
I would be greatful if as many people as possible could review this pull request as it potentially has security implications.
The idea is that we check the hashes of sources after fetching them, so there is no need to verify the SSL peer when making the connection. For example,
fetchurl
uses the--insecure
option in order to makecurl
skip verification. Additionally, this way we get rid of thepkgs.cacert
dependency in some places.Fetchers that use
pkgs.cacert
:fetchgit
(tested)fetchrepoproject
(can someone test the change please?)docker/pull.{nix,sh}
(something crazy is going on there)fetchbower
(haven’t looked yet)fetchdarcs
(looks like there is no way to disable)fetchgx
(haven’t looked yet)fetchcargo
(haven’t looked yet)Various other places, which I haven’t looked at yet:
I strongly suspect that some of those usages are either not needed or are plain wrong, given all that movement with
NIX_SSL_CERT_FILE
and attempts to make packages behave use trusted roots from the system as opposed to pullingpkgs.cacert
.