search

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
Other
179 stars 24 forks source link

Ensuring that binary patches, when reconstituted, are the same as the original #13

Open david-a-wheeler opened 1 year ago

david-a-wheeler commented 1 year ago

Per discussion 2023-02-28, S2C2F should ensure that expansion of binary patches is equivalent to what would be downloaded from scratch.

david-a-wheeler commented 1 year ago

These are really "binary diffs" to recreate a full update.

david-a-wheeler commented 1 year ago

Basically, the results should be the same if:

  1. You don't have package version 1.0 installed, and you download & install version 1.1
  2. You have package version 1.0 installed, you uninstall it, and download & install version 1.1
  3. You have package version 1.0 installed, and you install a "binary patch" on version 1.0 to produce version 1.1

If the "binary patch" (option 3) produces a different result, it can be hard to figure out what happened. It can be a security vulnerability, since it's likely only the new version was reviewed (not the binary patch).

david-a-wheeler commented 1 year ago

One solution: the receiving client could download a diff (patch file), combine that with the "old" version to create the "full new version", and then verify that the result is the same as the full install (e.g., with a cryptographic hash). Not every client would need to do this, it could be just a test client as part of a test case, and would eliminate the concern about storage space used up in most clients. That approach would ensure that all are getting the same thing.

david-a-wheeler commented 1 year ago

There may be other solutions, but having one solution is good :-).