[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint'
|
From: |
Ludovic Courtès |
|
Subject: |
Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint' help someway? |
|
Date: |
Tue, 09 Nov 2021 18:05:26 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi!
Giovanni Biscuolo <g@xelera.eu> skribis:
> The details are published here: https://www.trojansource.codes/
[...]
> Is there a way for "guix lint" to check for the listed (other?)
> "dangerous" codepoints and warn code reviewers?
That would be an expensive operation since that means unpacking the
source and reading each and every file. ‘guix lint’ usually does
inexpensive checks.
> Is it possible for the Guix community to start a coordinated effort to
> analyze all the source code (ever?!?) published in out git repo to check
> for the presence of this attack?
That sounds unreasonable to me.
> AFAIU there is not much Guix can do for the "Homoglyph attacks"
> (CVE-2021-42694).
Right. :-)
Guile itself could be “vulnerable” to this, though. (I’m cautious about
terminology; for example, the ‘sayHello’ example on their web site uses
CYRILLIC CAPITAL LETTER EN vs. LATIN CAPITAL LETTER H. Sure, their
glyphs are almost “visually indistinguishable”, but they belong to
different alphabets, and I’m wary of the implicit imperialist suggestion
that all things that roughly look like H should be replaced by H.)
Thanks,
Ludo’.