Security concerns in case a bad-actor scenario happens

[sarpik]

Hey there, thanks for the great tool!

I was concerned about the possible security issues, e.g. a bad actor could steal everyone's notes with just a single faulty commit.

The potential impact is high because the source of the backup tool is centralized (this github repo), and the default schedule to run the tool (cron schedule in the provided github workflow that almost nobody changes) is often (hourly).

---

Currently, the way one is recommended to setup the backup github workflow includes this step:

      -   name: Setup dependencies
          run: |
            pip install git+https://github.com/MatthieuBizien/roam-to-git.git@master

the problem with this is:

1. there's no clear version - it's just the master branch (this is more a problem if you're going to make breaking changes in the future),
2. even if there was a set version, a bad actor could still steal all of one's notes with a single faulty commit,
3. and since the default provided cron inerval is hourly, it would take maximum 1h to steal all notes from the users of this tool who haven't implemented counter-measures themselves.

the main problem is that the user does not control the backup code that will be ran (it's centralized). if they're security-conscious - they might as well assume the code ran there is arbitrary, because it could be.

the work-around currently is to fork the roam-to-git repository and replace the source in the same .github/workflows/main.yml:

-            pip install git+https://github.com/MatthieuBizien/roam-to-git.git@master
+            pip install git+https://github.com/your-username/roam-to-git.git@master

which makes you, the individual user, in control of the updates to the code (syncing from upstream becomes manual - and that's what we want, since we can now verify code changes ourselves, and that doesn't need to happen often either).

but this is what the "advanced" users are doing. Until we find a better solution - perhaps this should be the recommended, if not the only, default?

What do you think?

[michalochman]

Instead of master you can point to the hash of individual commit:

-            pip install git+https://github.com/MatthieuBizien/roam-to-git.git@master
+            pip install git+https://github.com/MatthieuBizien/roam-to-git.git@8cb601bbde6a8252e9d28d3ef7343c00fad49933

This way you don't have to maintain a fork, which makes updates to the code easier.

[sarpik]

yes, I've considered this as well - it's a good starting point.

but still, the repository is not in your control, and the commit hash, while almost impossible to create an identical one, there's still a chance, and I prefer not relying on extremely bad luck and/or heck knows what computational power in the future.

plus, updating the fork isn't very hard either. but fair, the commit is already much better than the master branch.

[MatthieuBizien]

Hi @sarpik, I've considered that possibility, but as Roam interface may evolve without any warning, and break the current version of that repository, I've considered it's better to auto-update by default.

Changing the recommended workflow may work for new users, but it will not increase the security of existing users.

I think the best solution would be to limit my own rights on that repository, so my own PR would only be approved if a trusted reviewer validates them. If someone knows a good workflow/tooling for that, I can set it up.