Permissions for Registrator

[aviks]

So we've had users complain that the web registrator hosted on juliahub.com asks for write permissions. I wanted to discuss the options, since this is security stance that affects the registry itself. We need consensus from the registry maintainers about what the correct stance should be.

The underlying requirement is that before the registrator user opens a PR on the registry repo, it needs to be sure that the user requesting the registration has write permissions to the repository.

For the web registrator we need to query github apis to get this information. However, the list of "collaborators" on a package is not available to a user unless that user has write permissions to the repository. This is the reason we ask for write permissions for the Oauth token we get from Github. Also, afaik, we cannot restrict permissions per repository on the Oauth token -- per repository access can be given using a deploy token, but that is not a one-click flow.

As a result of the strength of said feedback, we have this morning termporarily changed juliahub web registrator to use only read permissions. I fear however, this may have been a knee jerk reaction by us. To enable the registrator functionality with read permissions, we are now using the list of "contributors" for a repo. This information is freely accessible. However, this list also includes any users who have had a PR merged to the repo, even if they do not have write access. Additionally, this list precludes any organisation members or admins, who may have write permissions, but have not actually merged any code to that repo. Both of which is problematic. The latter can be solved by asking such users to make their org membership public, but the former (user with PR merged) is a problem.

The commentbot needs the same information, but it works as a Github app that is installed on each repo on which it operates. As a result, it has the permissions required to get these priviledged fields.

So I suppose the main question to the registry maintainers is as follows: are we happy to have a security stance where all "contributors" in a repo can make a registry PR.

Given that most registry PRs are merged automatically, and with the focus on "supply chain attacks", this is an important question that should be carefully considered.

[fredrikekre]

web registrator hosted on juliahub.com asks for write permissions.

This is nothing new though, right?

are we happy to have a security stance where all "contributors" in a repo can make a registry PR

I don't think so. Wouldn't that essentially mean "everyone" (i.e. you just have to fix a type in the docs or soemthing) can make releases?

[DilumAluthge]

I don't think so. Wouldn't that essentially mean "everyone" (i.e. you just have to fix a type in the docs or soemthing) can make releases?

Agree. This seems like a big security hole.

[aviks]

This is nothing new though, right?

Yes, this is not new. But we've had a few users who've expressed strong opinions on the matter. So I wanted to have a public issue with a summary of the situation, and ensure we are not missing anything.

Wouldn't that essentially mean "everyone" (i.e. you just have to fix a type in the docs or soemthing)

Yes. That would indeed be the case.

[DilumAluthge]

If people want to register a package, and they don't want to give JuliaHub write access to their repo, they should install the Registrator GitHub App (the "comment bot").

If people want to register a package, and they don't want to give JuliaHub write access to their repo, and also for some reason they don't want to install a GitHub App, we can flesh out RegistratorServerless and make it an official third option. RegistratorServerless.jl:

1. Does not require any write permissions on your repository
2. Does not require that you install a GitHub App on your repository

[DilumAluthge]

Wouldn't that essentially mean "everyone" (i.e. you just have to fix a type in the docs or soemthing)

Yes. That would indeed be the case.

Yeah, I am strongly opposed to this.

[nkottary]

Note that anyone can open a PR in the General Registry to register any package regardless of whether they are a contributor or not. I don't think the contributor check therefore can be called a security hole.

[aviks]

Yes, but registrator PRs are automerged, so that's different, and much more risky.

[DilumAluthge]

Note that anyone can open a PR in the General Registry to register any package regardless of whether they are a contributor or not. I don't think the contributor check therefore can be called a security hole.

1. PRs opened by users that are not JuliaRegistrator or jlbuild are not auto-merged. In contrast, PRs opened by JuliaRegistrator are quickly auto-merged.
2. If someone opens a manual PR to register a package, the registry maintainers are very careful to check that they should actually have permissions to do so.

[DilumAluthge]

One of the core premises of AutoMerge is that we can trust PRs coming from Registrator and jlbuild. The AutoMerge guidelines were based on this premise, and the AutoMerge code base was written with this assumption.

If PRs coming from Registrator can no longer be guaranteed to be coming from someone with the appropriate level of permissions, we should disable AutoMerge.

[DilumAluthge]

I'm have temporarily disabled AutoMerge: JuliaRegistries/General#34270 until we resolve this issue.

[nkottary]

I think we should have a file in the repository that lists the users who can register that package.

[DilumAluthge]

I think we should have a file in the repository that lists the users who can register that package.

It's not the worse idea in the world. I had that thought in the past. Someone pointed out to me on Slack that technically there is a security issue if someone changes their GitHub username. E.g. if the file looks like this:

aviks
DilumAluthge

Suppose I change my GitHub username to DilumIsCool. Once I do so, GitHub will make the DilumAluthge username available for anyone to take. So if someone else signs up for GitHub, and picks the username DilumAluthge, now they have the ability to register versions of this package.

[DilumAluthge]

Out of curiosity, why can't people just install the Registrator GitHub App ("comment bot")? It's easy to use, and it doesn't need any write permissions. (And we don't need a file in the repo with a list of authorized users.) Here are the required permissions:

Are there people for whom this list of permissions is not acceptable?