New version: RegistryCI v6.4.0 #30164
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
JuliaRegistrator
commented
Feb 16, 2021
JuliaRegistrator
commented
- Registering package: RegistryCI
- Repository: https://github.com/JuliaRegistries/RegistryCI.jl
- Created by: @GunnarFarneback
- Version: v6.4.0
- Commit: 97ba104372d39419ead4280e27c52c11ed4761ae
- Reviewed by: @GunnarFarneback
- Reference: JuliaRegistries/RegistryCI.jl@97ba104#commitcomment-47187766
UUID: 0c95cc5-2f7e-43fe-82dd-79dbcba86b32 Repo: https://github.com/JuliaRegistries/RegistryCI.jl.git Tree: 812d707a1f6db127297032ca9f267881a9859251 Registrator tree SHA: e934b8c55381f28735124f23e8f7e96d09b20416
JuliaRegistrator
referenced
this pull request
in JuliaRegistries/RegistryCI.jl
Feb 16, 2021
348: Mitigate dependency confusion r=GunnarFarneback a=GunnarFarneback This PR adds a dependency confusion mitigation mechanism for public registries beside General, which are particularly exposed to the vulnerability since their UUIDs are, well, public. The idea, once this PR goes live, is that public registries who want to take part of this mitigation would submit a PR against https://github.com/JuliaRegistries/General/blob/master/.github/workflows/automerge.yml to add their repo URL to the `RegistryCI.AutoMerge.run` argument `public_registries`. When automerge runs, it will clone those repositories and check for a UUID conflict when examining a new-package request. If a conflict is found automerge is blocked, usually. There is one exception to this rule. Assume you want to add a package to General that has previously lived in one of the checked public repositories. Obviously this will trigger a UUID conflict. However, in this case the package repository will match, which means that 1. An attacker has no way to add rouge versions. 2. Registrator wouldn't have accepted the registration request from someone unauthorized. So the rule is that automerge is blocked for conflicting UUIDs, unless repository URL and package name match. (Same UUID with different names is no good, regardless of dependency confusion.) There are some outstanding questions of how much time this takes and whether it gracefully handles connection problems for the public registries. Cc: @timholy Co-authored-by: Gunnar Farnebäck <gunnar.farneback@contextvision.se>
|
Your If you want to prevent this pull request from being auto-merged, simply leave a comment. If you want to post a comment without blocking auto-merging, you must include the text |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.