Define new release workflow #11
Comments
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
@goldfishlaser my concern about STL files isn't just that they're annoying, but that they could be malicious As shown in the link above, STL files have been found in at least 1 case to be able to trigger a heap buffer overflow. We need to find a way to mitigate this risk. Including potentially-malicious files in releases (as opposed to the sources) doesn't mitigate this risk at all.
Unrelated, but this is solved by linking to the file at a specific commit, as opposed to the file at HEAD. |
|
@VanDavv I'd be very curious to read some write-up about how it infected GitHub issues... |
|
I'd be curious as well, I tracked down the latest activity feed for this account and went onward to warm people around about this, as well as reported to GitHub as urgent. Best of luck! ❤️ |
|
@maltfield so you are worried that an attacker potentially compromises my OpenSCAD program so that when I create an STL it has malicious code in it? Or some sort of interloper in the middle swapping out my stl with a malicious one? Because your example involves someone doing this on purpose. |
Yes, I am worried about your own devices being infected such that it is exploited by an attacker to inject malicious files into the BusKill repo in order to infect BusKill users. |
|
What do you have in place to sanitize image files? |
I use Please read the other ticket about methods to mitigate potentially malicious STL files. I mentioned this in the OP as potential solution number 2. |
|
Ah I missed that that did images. But I didn't miss why it can't support
stl, because of how it works.
Anyways that's to protect you if you're opening a malicious file, it
doesn't scan / detect anything for uploading to a repository.
…On Thu, Aug 29, 2024, 16:47 Michael Altfield ***@***.***> wrote:
I use recommend qvm-convert in Qubes, and I recommend Dangerzone for most
other people. Please see the other ticket for the feature request that I
opened with Dangerzone to add STL file support.
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAER7EA6RREVETJSMZH4S5DZT6CETAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJYHE2TIMJWGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
You're effectively blocking me from contributing to this project out of
fear that I have some sort of OpenSCAD zero day lol. It's starting to just
not be worth my time.
If anyone wants the files visit my fork.
…On Thu, Aug 29, 2024, 16:58 Melanie Allen ***@***.***> wrote:
Ah I missed that that did images. But I didn't miss why it can't support
stl, because of how it works.
Anyways that's to protect you if you're opening a malicious file, it
doesn't scan / detect anything for uploading to a repository.
On Thu, Aug 29, 2024, 16:47 Michael Altfield ***@***.***>
wrote:
> I use recommend qvm-convert in Qubes, and I recommend Dangerzone for
> most other people. Please see the other ticket for the feature request that
> I opened with Dangerzone to add STL file support.
>
> —
> Reply to this email directly, view it on GitHub
> <#11 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAER7EA6RREVETJSMZH4S5DZT6CETAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJYHE2TIMJWGU>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
The risk isn't just OpenSCAD. It's your whole endpoint. I'm afraid you're not grasping the surface area of risk. I am especially concerned because you just came back from DEF CON. Please read-through some of these historic examples of supply chain compromise that have affected other open source projects in the past decade +. The users of BusKill are especially vulnerable people who have very powerful adversaries. I take the risk of supply chain vulnerabilities very seriously. Fortunately, OpenSCAD files are not a risk (because it's feasible for a human to read their diff). I don't see how this blocks you from being able to contribute to BusKill. |
|
STL files are not really a risk either.
…On Thu, Aug 29, 2024, 17:03 Michael Altfield ***@***.***> wrote:
The risk isn't just OpenSCAD. It's your whole endpoint.
Please read-through some of these historic examples of supply chain
compromise that have affected other open source projects in the decade.
-
https://github.com/cncf/tag-security/tree/main/community/catalog/compromises
The users of BusKill are especially vulnerable people who have very
powerful adversaries. I take the risk of supply chain vulnerabilities very
seriously.
Fortunately, OpenSCAD files are not a risk. I don't see how this blocks
you from being able to contribute to BusKill.
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAER7EBB3WP5OWR3KNDCYD3ZT6ED3AVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJYHE4TEMJUGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Doubling-down on ignoring risk when I've pointed-out a 8.8/10 severity CVE that caused heap buffer overflows in 2022 does little to inspire confidence :( |
|
A single program with poor memory management getting exploited and then patched does not indicate we should distrust all stl files. Somehow, hundreds of other security-concerned projects still allow stl files in their repos.
It's not that I'm against finding a way to do forensics on stl files as a rule. i just disagree that its urgent right now to the point of not letting me add STLs to releases for people's use. I don't think it's realistic to think that the threat of someone targeting my or other contributors open scad installations to make it compile steganographically attacked stl files with the goal of worming into your app is large enough to justify the cost.
I didn't bring my laptop to DEFCON and I had my phone locked down (I only used it for a couple selfies) or in a faraday bag. I used an ephemeral OS on a burner laptop for my presentation.
So yeah, if people want the STL files they can come to my fork.
…On Thu, Aug 29, 2024, 17:13 Michael Altfield ***@***.***> wrote:
STL files are not really a risk either.
Doubling-down on ignoring risk when I've pointed-out a 8.8/10 severity CVE
that caused heap buffer overflows in 2022 does little to inspire confidence
:(
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAER7EFTNA2NYMNCZWBJRXLZT6FHHAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJZGAYTEMBVHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@goldfishlaser are your STL files reproducible? |
|
This seems to refer to a system not to a particular file or file type
…On Fri, Aug 30, 2024, 10:47 Michael Altfield ***@***.***> wrote:
@goldfishlaser <https://github.com/goldfishlaser> are your STL files
reproducible <https://reproducible-builds.org>?
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAER7EEOVLWJU2UMNGNHOKTZUCAWRAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRRGQ4TENJQGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@goldfishlaser please generate your STL file on two distinct computers. Generate a |
|
@goldfishlaser were you able to test to see if your If they are deterministic, then we can distrust the infrastructure and create a safe process to add them to the releases. |
|
I don't have access to one, let alone two computers set up with openscad at the moment. Expected resolution time unknown. |
|
@goldfishlaser Can you please share the instructions/steps for generating an STL file? I also only have one machine, but I run VMs on it, so can test reproducibility for you. |
|
I said have access to 0 computers to do this, not 1. Technically, I have a laptop running off live usb, but I dont have enough available diskspace on it to download an iso or run VMs because of a mistake I made, and I can't correct the mistake while under such limitations either. All I can do with it is browse the internet and download small files.
I don't have enough space to clone the repo, so I can't make a new PR for an indeterminate amount of time. So you'll have to get the openscad file from my fork or just pick a random scad file.
Just open the file, select the render icon, select the STL icon. Voila.
See OpenSCAD docs for more.
…On Tue, Sep 10, 2024, 9:57 AM Michael Altfield ***@***.***> wrote:
@goldfishlaser <https://github.com/goldfishlaser> Can you please share
the instructions/steps for generating an STL file?
I also only have one machine, but I run VMs on it, so can test
reproducibility for you.
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAER7EGUQZSQXS5ARY5P47TZV33EZAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBQHA4TCMRVGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
and others
Previously, I had the practice of continuously including my STL files during development. STL files are a type of compiler output and therefore have unreadable diffs that make them poorly suited for version control. Plus, it hasn't been a great way to manage the files. Already we had an issue where I changed some stl name or something and it broke a link.
I received advice to add STLs only during a release. So I would like to build a release. @maltfield How shall we go about it?
The text was updated successfully, but these errors were encountered: