search

input-output-hk / haskell.nix

Alternative Haskell Infrastructure for Nixpkgs
https://input-output-hk.github.io/haskell.nix
Apache License 2.0
558 stars 240 forks source link

Why is `openssl-1.0.2u` in `config.permittedInsecurePackages`? #1470

Closed MatthewCroughan closed 2 years ago

MatthewCroughan commented 2 years ago

In the haskell.nix flake, there is a reference to openssl-1.0.2u which has been out of date since 2020. I'm wondering why it was ever added in the first place, since this has security implications, especially since it's being passed around freely and people are using it in their projects, because some templates suggest doing so.

nix-repl> :lf github:input-output-hk/haskell.nix
Added 17 variables.
[3.0 MiB DL]
nix-repl> config.permittedInsecurePackages       
[ "openssl-1.0.2u" ]
MatthewCroughan commented 2 years ago

giphy

hamishmack commented 2 years ago

Why are you loading the Haskell.nix flake directly? I'm not using the Haskell.nix flake directly for anything. I am not sure if anyone else does. It contains checks with all the Haskell.nix tests using ghc 8.8.4 IIRC. Some of those tests will be quite old. If this is causing problems making a flake that uses Haskell.nix in another flake we could perhaps remove those.

L-as commented 2 years ago

@hamishmack This isn't really related to flakes. This is more so that AFAICT this config parameter is passed to any Nixpkgs that haskell.nix is used with, even without flakes. This is wildly insecure though.

michaelpj commented 2 years ago

@hamishmack This isn't really related to flakes. This is more so that AFAICT this config parameter is passed to any Nixpkgs that haskell.nix is used with, even without flakes. This is wildly insecure though.

The only reference to config.nix is from flake.nix. I'm not sure what you think is happening here.

MatthewCroughan commented 2 years ago

Having a reference to an outdated OpenSSL in any code, in any context, is bad. It doesn't matter where it is, or the semantics of where it is placed. The string "openssl-1.0.2u" should not be present anywhere in any of the output of this flake. If it is, that's a possible exploit opportunity, as it means the software supply chain is effectively compromised, and you can make assumptions about anyone who uses Haskell.nix to build their software. I can now make the assumption that people using Haskell.nix are doing the following:

    import self.inputs.nixpkgs {
      inherit system;
      overlays = [ self.inputs.haskell-nix.overlay ];
      inherit (self.inputs.haskell-nix) config;
    };

As is so commonly expressed in tutorials, guides, etc. If anyone is doing this, it means every time they import Nixpkgs, it could potentially output software linked to openssl-1.0.2u. This possibility is made easy by being a user of Haskell.nix who has copy pasted some code from other users of Haskell.nix, or tutorials/guides. The solution is to remove the reference entirely, such that it is no longer a possibility.

MatthewCroughan commented 2 years ago

I took a look on Sourcegraph, and there are 16 results for this already, and this is a poor search for haskellNix, as we can't guess how people will name their inputs.

https://sourcegraph.com/search?q=context:global+lang:Nix+haskellNix.config&patternType=literal

All of these people could possibly have openssl-1.0.2u in their supply chain.