New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Concerns about metrics from @ljharb #1826
Comments
@brianrussell2 fyi. |
The check does not ask users to pin their dependencies in the manifest. It only verifies that there's a lock file when it's used in CI, so you get "reproducible" installation and don't suddenly fall victim to "npm color" attacks if someone pushed a malicious package. If there's a false positive you found, can you provide a link?
We want to improve this check #1487 I envisage adding support for commands as well
yes, we'd like to have checks be more ecosystem-aware. This is on our radar, but needs work.
/cc @oliverchang
good point.
|
I don't think this is actually a best practice - I think that a package should fall victim to the same attacks and bugs that their users will on a fresh installation, and that encouraging lockfile use in packages actively harms users by hiding problems from maintainers. The false positive imo is that this is considered at all. |
I don't entirely follow. How would a maintainer of package X control how users will use their package? Even if the maintainers of package X want to protect themselves in their CI tests (I think they should), they would not be able to control what their users will do or when installing X, right? |
Speaking for the npm ecosystem, most lockfiles are "dev only", which means that a project with a lockfile has a pinned graph, but their consumers have nothing pinned. There's also one lockfile format that is published, and that is respected by consumers - but it's considered highly user-hostile to use this, because it prevents the consumer from deduping, and from seamlessly updating transitive deps. The belief I'm professing here is that the CI on a public project isn't worth protecting in this fashion in general terms, but it's definitely less important than ensuring that maintainers are notified as early as possible about issues in their dep graph. With a lockfile, the project will continue passing CI even as users who newly install it get bugs or security vulnerabilities - without one, the project's success or failure matches that of the users, and the problems can be fixed much more rapidly. |
There are two different classes of problems:
|
Right - but a dev-only lockfile (the almost exclusive kind used in the npm ecosystem) does not pin dependencies for consumers, only for the maintainers. The best practice in the npm ecosystem is to always use I'm not fully versed on log4j, but wasn't the issue with log4j a problem because of a ton of applications that were pinned, and thus when the long-standing vulnerability was discovered, they weren't able to upgrade to the fixed version? |
I think we're saying the same thing... The scorecard check does this, i.e., checks that the final top-level app uses a lock file. If someone tests an API in their CI, scorecard will also check they've added a lockfile for the CI check, but not the overall project.
log4j was an example of how remediation takes time and limiting the blast radius helps. |
The scorecard runs on projects tho - a published project isn't a top-level app, generally (altho sometimes it can be). |
About the lockfile, is your thought that:
I want to echo Laurent's point about how lockfiles and pinning protected many projects from colors.js , or failed to protect because they weren't present. |
Sure, in this one case - less than a dozen over the lifetime of npm, by my reckoning - this is true. However, not pinning has allowed the seamless flow of bug and security fixes, and also allowed apps to dedupe, resulting in significantly smaller bundle sizes, saving the web uncountable amounts of bandwidth. I’m saying that the benefits of pinning in a package are infinitesimally rare, and the harm of pinning is massive. |
Some additional feedback: pinning an action to a tag is perfectly fine when the author is trusted, and is far better for security because security fixes can freely flow downstream. |
What happens if the author account is compromised? How do you deal with that? |
The same thing that happens if the author account is compromised, they update the action to have well-hidden malicious code, and then someone rubberstamps a dependency update PR - be compromised. In practice, this simply is not a thing that actually happens. Additionally, this is on open source published packages - there's nothing to compromise because nothing is done in the actions. In most cases, they don't even have permissions to do anything (via actions config). This level of paranoia is appropriate for an application - but it's actively harmful for a published package. |
This would be a good panel discussion at something like https://events.linuxfoundation.org/openssf-day-europe/. |
In cases where there are no permissions, I agree that pinning does not help and incur additional work for maintainer to maintain / update. @ljharb is this what you meant or you had a different example in mind? The point on developer trust is interesting. It's hard for scorecard to do out of the box, but allowing consumers to tweak the results based on developer's identity would be interesting. What signals would you use to assess a "developer's trustworthiness" (2FA, projects they contribute to, ?)? |
That’s up to each maintainer. GitHub’s official recommendations, for example, say that pinning an action to a tag is sufficient for an action author the maintainer trusts. The scorecards system fails to be useful if it tries to editorialize too aggressively - when something is sometimes safe and reasonable, if the scorecard penalizes maintainers for it, the scorecards themselves stop being well-considered and useful. |
From @ljharb in https://openssf.slack.com/archives/C0235AR8N2C/p1649348249786279:
@ossf/scorecard-maintainers -- Some of these points are familiar, so wherever possible, let's reference existing discussions/issues/PRs. I just want to make sure we capture all of @ljharb's questions as a first step! :)
The text was updated successfully, but these errors were encountered: