Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: msys2: pin boost to 1.86.0 #9623

Merged
merged 1 commit into from
Dec 23, 2024
Merged

ci: msys2: pin boost to 1.86.0 #9623

merged 1 commit into from
Dec 23, 2024
+7 −0

Conversation

tobtoht
Copy link
Contributor

@tobtoht tobtoht commented Dec 16, 2024

@tobtoht tobtoht mentioned this pull request Dec 17, 2024
Merged
jeffro256
jeffro256 suggested changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@jeffro256 jeffro256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we put an integrity check here please? Perhaps just a sha256sum or a PGP verify or something?

x64x2
x64x2 reviewed Dec 17, 2024
View reviewed changes
Copy link

@x64x2 x64x2 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ueh

@selsta selsta added the ci label Dec 19, 2024
vtnerd
vtnerd suggested changes Dec 20, 2024
View reviewed changes
.github/workflows/build.yml Outdated Show resolved Hide resolved
@tobtoht
Copy link
Contributor Author

tobtoht commented Dec 20, 2024
edited
Loading

Using sha256 hash verification instead of gpg, as the latter would allow an attacker that has access to the msys2 repo to trick us into installing any signed package.

Assuming the release signing key isn't compromised (in which case everything is compromised), this would effectively allow an attacker to cause an older version of Boost to be installed while still passing CI. The older version of Boost could have a vulnerability that is not present in 1.86.0, and someone could unwittingly decide to run this development build outside of a testing environment.

I'm also downgrading boost-libs here as this package is required by boost, and the versions should not mismatch.

Edit: Assuming the attacker has kept older copies of the signed db, there appears to be nothing stopping them from tricking us into installing older versions of other packages either. Again, this is a development build, so I don't really care.

Edit2: In fact, database signatures are optional by default (and msys2 does not configure it otherwise). If a signature is not present, pacman will not throw an error.

selsta
selsta approved these changes Dec 21, 2024
View reviewed changes
Copy link
Collaborator

@selsta selsta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The files built don't get uploaded anyway so I don't think there is a legitimate attack vector here

@tobtoht
Copy link
Contributor Author

tobtoht commented Dec 21, 2024

Ah right, it's the depends build that gets uploaded as an artifact, not this one. So yeah, the purpose of this job is only to check if Monero successfully builds on msys2.

@luigi1111 luigi1111 merged commit 53f468e into monero-project:master Dec 23, 2024
17 of 18 checks passed
@vtnerd vtnerd mentioned this pull request Dec 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@x64x2 x64x2 x64x2 left review comments

@vtnerd vtnerd vtnerd requested changes

@jeffro256 jeffro256 jeffro256 approved these changes

@selsta selsta selsta approved these changes

Assignees
No one assigned
Labels
ci
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@tobtoht @vtnerd @selsta @jeffro256 @x64x2 @luigi1111