LWN: Comments on "Nightly PyTorch builds compromised"

Nightly PyTorch builds compromised

nix — Sat, 25 Feb 2023 15:45:00 +0000

That of course assumes they can read whatever language the words are written in. I might point here at the tale of the most nefarious driving offender in Ireland, a protean master of disguise whose appearance was never the same twice, a Mr. Prawo Jazdy: <http://news.bbc.co.uk/1/hi/northern_ireland/7899171.stm>.

(Lest anyone think this is a joke about the Irish, it was of course an English (Welsh border) council which managed the impressive trick of putting up dual-language Welsh road signs where the Welsh "translation" was the Welsh for "I am out of the office at the moment but will be back on Monday." You'd think they could have at least spotted that the day of the week was in the translation but not the original and that something *must* be wrong, but nooo...)

Nightly PyTorch builds compromised

mathstuf — Tue, 07 Feb 2023 19:25:22 +0000

RealID is (supposed) to fix at least a baseline of things. However, the requirement date keeps getting pushed back further and further…

APT preferences Pin-Priority

JanC_ — Tue, 07 Feb 2023 17:24:28 +0000

You can use an origin-based Pin-Priority (see apt_preferences(5) for how this works) to prevent this.

Nightly PyTorch builds compromised

JanC_ — Tue, 07 Feb 2023 16:56:24 +0000

1. Allowing every state & territory & colony of the US to issue its own completely different & incompatible driving license
2. Using driving licenses & other random things instead of proper standardized ID cards as identification

… and then being surprised that the whole setup is confusing, error prone, easy to falsify, and raising suspicion?

Nightly PyTorch builds compromised

oldtomas — Wed, 11 Jan 2023 05:34:30 +0000

Glad to see there are some exceptions to our expectation :)

Nightly PyTorch builds compromised

NYKevin — Fri, 06 Jan 2023 21:23:40 +0000

> i.e. if ms vs code repo content or their signing get somehow compromised they can just replace the "code" binary which you maybe want from this repository to include malicious content.

I doubt this is a solvable problem. You have to trust *somebody* (unless you want to download all of the source code and audit it by hand, in which case you should probably be using Gentoo instead of Debian), and in practice that probably has to be the packager, not the upstream (because the packager may have to carry patches or otherwise modify the software to be suitable for distribution). If you trust the packager, then you trust them, end of story. If you don't trust them, then you can't (shouldn't) run any software they give you.

Nightly PyTorch builds compromised

mw_skieske — Fri, 06 Jan 2023 14:04:12 +0000

you can "harden" specifc package repo files on fedora/rpm distros with the option "includepkgs" which will only download the listed packages from that repo and ignore everything else from that URL.

see: https://man7.org/linux/man-pages/man5/yum.conf.5.html

however this is not really a solution if you don't trust the controlling instance of a remote package server.

i.e. if ms vs code repo content or their signing get somehow compromised they can just replace the "code" binary which you maybe want from this repository to include malicious content.

on the plus side for the attacker this might be much harder to detect for end users.

fwiw the official ms package for fedora does not automatically set these restrictions and I'm not aware of many repositories that do something like this.

I believe this option is ultimately not a security option but more of a bandaid against accidentally installing a package from a wrong repository.

Nightly PyTorch builds compromised

Wol — Thu, 05 Jan 2023 22:28:01 +0000

Things don't change, do they ... :-)

35 years ago, a colleague told me stories of his time in Texas. I believe America had plastic licences even then ...

Anyways, the police stopped him and asked for his licence, so he handed them a piece of green paper.

"What's this!?"
"A driving licence."
"How do I know it's a driving licence?"
"It says so. On the front. In big black letters."

Cheers,
Wol

Nightly PyTorch builds compromised

mbunkus — Thu, 05 Jan 2023 16:21:34 +0000

This would most likely work just fine. When you add such a repository, be it an APT repo for Debian-based systems or an RPM repository for RPM-based distros such as Fedora/RHEL/openSUSE, you pretty much always add a GPG key that the repo signs it package lists (APT repos) or the packages themselves (RPM packages) with to the list of trusted GPG keys. See e.g. installation instructions on my MKVToolNix home page at https://mkvtoolnix.download/downloads.html#debian

Then it's just a matter of adding a package called "bash" with a slightly higher version number to that repository, and a subsequent manual package upgrade should pick it up.

That being said, it will likely not be installed automatically. In the Debian-based world there's the "unattended-upgrades" mechanism/package that takes care of installing updates automatically. However, it's pretty much always configured to only download updates from specific APT sections (e.g. from the "security" section). Though I'm not sure how easy it is to fake it.

Both apt & dnf will show where packages are downloaded from; therefore you might spot that "bash" is coming from a server you don't necessarily expect it from. It might also just be overlooked if the number of downloaded packages is big.

It's minimally harder to set up an APT/dnf repository than it is to provide a malicious shell script & a sudo-curl-bash one-liner. But there's no real security there.

Nightly PyTorch builds compromised

farnz — Thu, 05 Jan 2023 15:01:10 +0000

I've experienced places in the US refusing service for alcohol because my colleague's passport was clearly fake, since passports are blue and have the word passport on them, whereas his was red and had the "obviously misspelt" word passeport on it.

Nightly PyTorch builds compromised

mathstuf — Thu, 05 Jan 2023 13:41:31 +0000

There's still a level of problem with the former (well, at least when there's insufficient training). My state had very bendable and almost rubbery licenses for a time and people from far-away states were very suspicious of it. They're better now and have some interesting features in them (the transparent hologram window still confuses some people, but it is far better than the older style).

There's also the story of a grocery store in some Midwest state denying a Washington DC license because "DC isn't a state, how can they have driver licenses?" until the police showed up and said "no, this is fine". I recall hearing of disbelief in diplomatic passports as well.

Nightly PyTorch builds compromised

NAR — Thu, 05 Jan 2023 12:56:34 +0000

Apart from the ubiquitous curl ... | sudo instructions there are also instructions around to add third party repositories (sometimes the addition of the third party repository is itself bundled in a package). What would happen if such third party repository would try to give e.g. a malicious bash package to the users?

Nightly PyTorch builds compromised

Wol — Thu, 05 Jan 2023 08:38:26 +0000

I think it's called "security theatre".

It's the difference between hiring a company to provide a guy to check everyone's id, and employing a guy who recognises everyone's face ... night and day ...

Cheers,
Wol

Nightly PyTorch builds compromised

groshu — Thu, 05 Jan 2023 07:48:47 +0000

But isn't "fixing a social problem with technical means" a definition of the thing we call "security"?

Nightly PyTorch builds compromised

auxsvr — Wed, 04 Jan 2023 07:56:03 +0000

poetry lock files contain hashes for all platforms, including tarballs.

Nightly PyTorch builds compromised

bluca — Wed, 04 Jan 2023 01:03:06 +0000

Looking at the rest of the comments, seems like you were spot-on

Nightly PyTorch builds compromised

anselm — Tue, 03 Jan 2023 21:37:48 +0000

IIRC you can list multiple acceptable hashes per package.

Nightly PyTorch builds compromised

mathstuf — Tue, 03 Jan 2023 20:07:19 +0000

How's the hash matching work when each platform/version has its own wheel? Or is this yet another wheel feature that is only really supported if you are pure Python?

Nightly PyTorch builds compromised

mathstuf — Tue, 03 Jan 2023 20:06:10 +0000

Well, the Internet without verified downloads (hash and/or GPG) at least. Lock files would have helped a lot here I imagine.

Nightly PyTorch builds compromised

SnoopJ — Tue, 03 Jan 2023 16:14:10 +0000

There isn't much in the way of control of precedence in pip, unfortunately. It's a requested feature [1] but there has been relatively litttle work to make it work. PyPA does define a standard (.pypirc) for configuring indexes that gives very good control over precedence, but pip has zero support for it (honestly I don't know what *does* support it)

The gold standard (imo) for avoiding this kind of mistake is to set up your own index that is capable of falling back onto PyPI, and use `--index-url` instead. One of the pip maintainers publishes the tool `simpleindex` [2] for doing this, letting you specify explicitly which packages you want from your own index, and falling back to PyPI for the rest. There's also `devpi` [3] but it's substantially more complicated to operate.

Honestly, it feels like a huge mistake for pip to keep the `--extra-index-url` feature. It's hard to use safely and I think a big reason that pip hasn't grown a better way to do it is because it's "good enough" if you're willing to overlook the massive attack vector it brings along for the ride with any internal packages.

[1] e.g. https://github.com/pypa/pip/issues/6045 and https://github.com/pypa/pip/issues/4263
[2] https://github.com/uranusjr/simpleindex
[3] https://github.com/devpi/devpi

Nightly PyTorch builds compromised

ballombe — Tue, 03 Jan 2023 15:46:04 +0000

What is interesting here is that it it seems the attackers have searched CI logs for that kind of situation...
Using the internet during CI build is always dangerous.

Nightly PyTorch builds compromised

oldtomas — Tue, 03 Jan 2023 09:34:33 +0000

You won't get that.

Instead you'll get colourful fireworks on how to fix a social problem with technical means :-)

Happy New Year!

Nightly PyTorch builds compromised

kleptog — Tue, 03 Jan 2023 09:32:04 +0000

Pip does allow matching on sha256sum and failing if it doesn't match. It's however not the default and not exactly user friendly either. There are other options controlling repositories but it's not very helpful.

Python package repositories weren't created with an actual design, so this kind of thing wasn't really considered.

Nightly PyTorch builds compromised

ms — Tue, 03 Jan 2023 07:22:56 +0000

Exactly. Having multiple repositories where the repository name does not prefix the namespace is pretty bonkers. Or better yet, there should be no central repository and just use URLs of each repo as the name. I.e. the Go design is basically right.

Nightly PyTorch builds compromised

NightMonkey — Mon, 02 Jan 2023 22:00:35 +0000

I'd really like to know more about how to short-circuit the precedence rules in pip to avoid this. In general, I want no surprises in sourcing modules and libraries in any programming language. I'd like the option to try one source, have a md5sum or other hash to lock my dependency on, and fail if that isnt available when requested.

Nightly PyTorch builds compromised

bluca — Mon, 02 Jan 2023 19:29:05 +0000

Looking forward to hearing again how language-specific package managers are the future and distributions as useless and obsolete.

Nightly PyTorch builds compromised

SLi — Mon, 02 Jan 2023 18:08:09 +0000

Interesting. My first reaction was to question instead if any package should be pulled in from pypi that automatically.

Nightly PyTorch builds compromised

khim — Mon, 02 Jan 2023 17:45:06 +0000

It's nightly build, they were experimenting, I guess.

And weren't sure if they want it or not in stable release.

Nightly PyTorch builds compromised

pbonzini — Mon, 02 Jan 2023 16:29:04 +0000

Why wasn't the package uploaded to PyPI in the first place?