search

fsprojects / Paket

A dependency manager for .NET with support for NuGet packages and Git repositories.
https://fsprojects.github.io/Paket/
MIT License
2.02k stars 524 forks source link

Is it a good idea to be distributing an exe file in git repos? #3261

Closed sidkshatriya closed 6 years ago

sidkshatriya commented 6 years ago

Description

I am considering learning F# and .Net (I'm familiar with Haskell and other functional languages). F# seems like a well done language. But I'm a bit surprised with certain practices in packet. For instance you recommend uploading a bootstrapping exe (or even packet.exe) in the .packet folder of the git repo. This is huge surprise to me because this does not seem like a good idea. How can you run a random executable blob after you clone a git repo? The trust issues just seem too huge to me. Even if the git repo is trustworthy its tough to be sure that the exe does not have bad things in it (the repo owner may have unwittingly added a bad exe to his repo).

You might suggest that packet can be built by source but that is not the default workflow you are suggesting to the users. A shell script that downloads packet.exe might be more palatable than an bootstrapper which is also an exe.

Expected behavior

In many other languages OCaml, Haskell etc. I think there are far saner and safer (by design) practices that seem to be followed and I think packet should encourage that. Maybe I'm a newbie and I don't understand some things here. Please educate me why I should not worry about executable blobs in my F# git repos.

forki commented 6 years ago

There is always a trust issue with dependency managers. Always. These other tools download random stuff as well and put it into your tool chain. There is not much difference.

Sidharth Kshatriya notifications@github.com schrieb am Di., 19. Juni 2018, 19:18:

Description

I am considering learning F# and .Net (I'm familiar with Haskell and other functional languages). F# seems like a well done language. But I'm a bit surprised with certain practices in packet. For instance you recommend uploading a bootstrapping exe (or even packet.exe) in the .packet folder of the git repo. This is huge surprise to me because this does not seem like a good idea. How can you run a random executable blob after you clone a git repo? The trust issues just seem too huge to me. Even if the git repo is trustworthy its tough to be sure that the exe does not have bad things in it (the repo owner may have unwittingly added a bad exe to his repo).

You might suggest that packet can be built by source but that is not the default workflow you are suggesting to the users. A shell script that downloads packet.exe might be more palatable than an bootstrapper which is also an exe. Expected behavior

In many other languages OCaml, Haskell etc. I think there are far saner and safer (by design) practices that seem to be followed and I think packet should encourage that. Maybe I'm a newbie and I don't understand some things here. Please educate me why I should not worry about executable blobs in my F# git repos.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/fsprojects/Paket/issues/3261, or mute the thread https://github.com/notifications/unsubscribe-auth/AADgNK3LrUco2PwdYkRu_eKJNgD1Kz5Rks5t-TJVgaJpZM4Ut6eW .

sidkshatriya commented 6 years ago

@dsyme Pardon my intrusion but I'm reading your Expert F# book. I learn about packet.exe from there. As one of the leaders of the F# community I thought you might have an opinion on the question I've asked above.

sidkshatriya commented 6 years ago

@forki No dependency manager is perfect. That does not mean we should not attempt to work towards perfection. All dependency managers have issues and they all download stuff from external sources. The point here is how to create a dependency manager which has good practices so that its tough to be vulnerable to "bad" things by default.

Distributing an exe file in a .git repo seems a bit scary to me. Take OCaml's opam for instance (OCaml and F# being cousins), it is never downloaded as part of a .git clone (unlike packet.exe which bootstrapped by storing an exe in .packet). It seems to emphasise building from source rather than downloading binary blobs, dlls and exes. And there are other examples that can be found.

forki commented 6 years ago

Ftr you don't have to checkin the bootstrapper. There are lots of different options. It's just a convenient way. (the reason for the bootstrapper to be a exe is that it's the only real xplat solution. It works with .NET and mono. Some people go different route and commit multiple install scripts) In my opinion the real security issues are the downloaded packages.

matthid commented 6 years ago

@sidkshatriya You need to consider WHERE the trust issue is, because it is NOT on the repository owner. So if you getting started with paket it doesn't really matter what you checkin into your repository. So the trust issue is on your users.

the real security issues are the downloaded packages.

@forki It's just another one on top of that, but I agree that it doesn't really matter at this point, because if we solve the "bootstrapper" trust, nobody prevents against bad package which are "loaded" by compilers and in case of type provider allow arbitrary code execution anyways (and that is only one example).

baronfel commented 6 years ago

@sidkshatriya to put another point on it, as @forki mentioned there are several ways to get the paket executable, some of which are:

so don't let that block you.

In addition, building-from-source isn't really a thing in the .net ecosystem at all, so I wouldn't necessarily compare it to ocaml (or rust's Cargo, for example) and expect to find parallels.

matthid commented 6 years ago

@sidkshatriya In fact if you just clone a repository you already put a lot of trust in the repository owner, because there might be git-hooks set. Going further the build instructions could download and execute arbitrary code hidden in the background. At this point there are so many places you cannot really control.

forki commented 6 years ago

Well, I really would love to have cargo style build-from-source in .NET - paket's git dependency feature is AFAIK the only thing that is a bit related (while not the same).

Chet Husk notifications@github.com schrieb am Di., 19. Juni 2018, 19:39:

@sidkshatriya https://github.com/sidkshatriya to put another point on it, as @forki https://github.com/forki mentioned there are several ways to get the paket executable, some of which are:

so don't let that block you.

In addition, building-from-source isn't really a thing in the .net ecosystem at all, so I wouldn't necessarily compare it to ocaml (or rust's Cargo, for example) and expect to find parallels.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/fsprojects/Paket/issues/3261#issuecomment-398483732, or mute the thread https://github.com/notifications/unsubscribe-auth/AADgNHz7K3VyhEq1PP1ickNG8myNBgkLks5t-Tc2gaJpZM4Ut6eW .

matthid commented 6 years ago

@forki I think we just need to properly think through paket/fake use-cases. With .net sdk and fake 5 it should be quite straightforward to get rid of paket-bootstrapper.

forki commented 6 years ago

If you see a way to get rid of the bootstrapper then I'm definitely listening. We are looking for a way to get rid of it for years.

Matthias Dittrich notifications@github.com schrieb am Di., 19. Juni 2018, 19:48:

@forki https://github.com/forki I think we just need to properly think through paket/fake use-cases. With .net sdk and fake 5 it should be quite straightforward to get rid of paket-bootstrapper.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/fsprojects/Paket/issues/3261#issuecomment-398486688, or mute the thread https://github.com/notifications/unsubscribe-auth/AADgNDDpPwwKb97-UNnO79if2HMZyF7rks5t-Tl1gaJpZM4Ut6eW .

sidkshatriya commented 6 years ago

@forki :

Ftr you don't have to checkin the bootstrapper. There are lots of different options. It's just a convenient way.

I just don't think this is the way you should recommend this approach to your users. Its possible to do other approaches but I have problem with the default approach you're recommending to users. I'm sorry but running (probably an unsigned exe) just seems to fraught with unnecessary risks. Beginners may do that. Its our responsibility to not propagate risky practices but instead recommend sane defaults.

@matthid said:

In fact if you just clone a repository you already put a lot of trust in the repository owner, because there might be git-hooks set. Going further the build instructions could download and execute arbitrary code hidden in the background. At this point there are so many places you cannot really control.

The whole point of external source code is that you can inspect the code. Git hooks can be disabled or at least you can have a look at what they are doing. What are you going to do with an exe -- disassemble it and read assembly? Clearly that is not a practical solution. A lot of the argument on this ticket seems to be be that we're hosed anyways with a dependency manager and remote sources so why try at all to be safe. I think that is the wrong approach. Look at dependency managers for other languages -- how many recommend checking in an exe into the source code? I don't think there are many. Checking in packet bootstrapper may be convenient but it should not be recommended as part of the usage instructions.

Being very new to F# / .Net I certainly don't have the solutions. Sometimes when you have people that come from other communities they can possibly tell you what seems strange. The exe in the git repo certainly seems strange and unecessary.

At a minimum you should be able to download a pre-built version of packet.exe from somewhere and that exe should be the only exe required for your system. On linux and MacOS you are recommending a single exe. Why should there be an exe per repo for Windows is something I don't know why... (I use Linux/MacOS)

0x53A commented 6 years ago

Pedantic note:

What are you going to do with an exe -- disassemble it and read assembly? Clearly that is not a practical solution.

IL can be trivially decompiled to almost the source C#, so yes that would be a viable solution.

0x53A commented 6 years ago

Tbh, I always advocate to always check-in the main paket.exe instead of the bootstrapped.

With Paket.exe in the repo and the nuget cache on a file share I can do everything offline.

sidkshatriya commented 6 years ago

@0x53A (As mentioned I'm a newbie to F#/.Net). So the packet.exe here is not windows exe in the traditional sense? Is it more like a java jar file?

forki commented 6 years ago

Yes it's bytecode. That's why it runs cross platform.

Sidharth Kshatriya notifications@github.com schrieb am Di., 19. Juni 2018, 20:28:

@0x53A https://github.com/0x53A (As mentioned I'm a newbie to F#/.Net). So the packet.exe here is not windows exe in the traditional sense? Is it more like a java jar file?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/fsprojects/Paket/issues/3261#issuecomment-398499150, or mute the thread https://github.com/notifications/unsubscribe-auth/AADgNNKxA7kuky0X3YCAlo925JzkYTN8ks5t-ULBgaJpZM4Ut6eW .