Closed Bug 1656157 Opened 4 years ago Closed 4 years ago

Crate marionette, mozdevice, moz-geckodriver taken over on crates.io.

Categories

(Testing :: geckodriver, task, P1)

task

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: freddy, Assigned: whimboo)

References

()

Details

(Keywords: sec-other)

This is a follow up of bug 1648964.

Here's some context from bug 1648964 comment 50, but it seems someone is claiming ownership of our crates on crates.io.
I don't know how bad this but I'm afraid it might affect build-tools integrity & product security.

I also don't know what the takeover policy on crates.io is, but we'll use this bug to find out and (hopefully) remediate. I'm also CCing Pietro Albini, who is the admin of crates.io.

Context from other bug:

(In reply to Nick Alexander :nalexander [he/him] from bug 1648964 comment #50)

(In reply to James Graham [:jgraham] from bug 1648964 comment #47)

nalexander: You seem to be the owner of mozdevice on crates.io Can you cargo publish it from central and add me (jgraham) as an owner (also Maja who will be mjzffr, but doesn't seem to have logged in to crates.io before)

Not sure how this came to be; I've certainly never intentionally published anything to crates.io. Perhaps it's just the metadata in the crate? Yes, the authors are listed from the metadata, but the "owner" appears to be ToToL (see also github/ToToL).

I have no idea who this person is :(

Perhaps we need to reach out to ToToL? Or to the crates.io folks to try to assert control of the namespace? I have no idea what the policy is here...

I also don't know what the takeover policy on crates.io is, but we'll use this bug to find out and (hopefully) remediate. I'm also CCing Pietro Albini, who is the admin of crates.io.

My understanding, from looking at https://crates.io/policies#removal and https://crates.io/policies#package-ownership is that we'll have to find a new name for the crate and ensure that all of our code is using that new name. :|

Can you take care of that jgraham?

Flags: needinfo?(james)

Hey all, Pietro from the Rust team here! There are two ways to get control of those packages:

  • Send a mail to help@crates.io asking to get in contact with the owner: we'll try to mediate, but if the owner says no or doesn't respond we can't do anything about it.
  • Send a DMCA/trademark takedown request, if you have the right to do so. If the request is valid we'll take the crates down. This is more of a nuclear option though.

An alternative is to publish the packages on crates.io with a prefix (like mozilla-*), tweaking the Cargo.toml so you can still use the original name in the Rust code / build artifacts:

[package]
name = "mozilla-marionette"
// ...

[lib]
name = "marionette"

See https://doc.rust-lang.org/cargo/reference/cargo-targets.html#the-name-field for the documentation on this.

To be clear, this doesn't affect the binaries we produce. We build using the in-tree versions of all the crates. The published versions are for the benefit of people who build from the GitHub export of the source code.

I think what's going on here is that during a previous release we neglected to upload mozdevice, so building from GitHub didn't work. Then I assume this other person published it. But I don't know how to verify the version of the code in the crate matches our previous release. It seems they also published the marionette crate, which I think should be unnecessary, and the geckodriver crate which we intentionally didn't because we didn't intend to use cargo install as a distribution mechanism.

It sounds like in the first instance we can try to contact the person and hope to resolve the situation that way.

Flags: needinfo?(james)

Flagging sec-other, based on comment 4.

Keywords: sec-other
Group: core-security → core-security-release

(In reply to James Graham [:jgraham] from comment #4)

It sounds like in the first instance we can try to contact the person and hope to resolve the situation that way.

Who is driving this (ie contacting the person) - is it you? If not, can we find someone? :-)

Flags: needinfo?(james)

I sent an email to help@crates.io but I haven't heard back. Pietro, do you have any insight?

Flags: needinfo?(james) → needinfo?(pietro)

The support team for crates.io is only made of volunteers unfortunately, so it might take a bit for them to reply. I see the mail in the queue though. Let me try pinging them :)

Flags: needinfo?(pietro)

(In reply to James Graham [:jgraham] from comment #4)

I think what's going on here is that during a previous release we neglected to upload mozdevice, so building from GitHub didn't work. Then I

That is right. The code of this package wasn't ready for an actual satisfying release. That's why we never released it. Also we didn't support building geckodriver from github since the 0.25 release.

So with the 0.27 release we now have the problem that parts of the securing patches for Android aren't available for folks building geckodriver from Github. :/

Note that the user also has a github account: https://github.com/ToToL and it refers to https://www.prelude-siem.org/users/301. The email of the user is thomas.andrejak@csnovidys.com. James, would you mind contacting him directly?

Flags: needinfo?(james)

I just noticed that he is present on Freenode. As such I pinged him. Lets see if we get a reply in the next few days - in case he isn't away. I will check back at latest on Wednesday, so that we could send out an email. Another address is thomas.andrejak@gmail.com which is listed for his debian QA work at https://qa.debian.org/developer.php?login=thomas.andrejak%40gmail.com.

Flags: needinfo?(james)

So I was able to chat with Thomas and he happily gave me ownership for all three crates. As he mentioned to me he would like to stay in the list of owners, but I wonder if that is possible and also if we should do that at all. I don't know the implications of that from a crates.io perspective. But I assume it would disallow him from pushing any new release.

Also I wonder if the crates for marionette and moz-geckodriver need to be continued. Marionette was never targeted yet to be released on crates.io, but just to be a sub-crate under geckodriver. James, do you see a time when we would have to do a real release?

The reason why he released those crates was that he needed those for rust2rpm to work while packaging geckodriver for CentOS. Now that we have source tarballs on Github again, those not necessary anymore. So moz-geckodriver could be removed, similar to what we also did for the geckodriver crate.

Meanwhile I uploaded version 0.2.0 of the mozdevice crate, so geckodriver can be perfectly build from a github checkout.

Flags: needinfo?(james)

Great! I agree we should not need to release marionette or moz-geckodriver; we can't delete existing releases but we can mark them as yanked. I'm not sure what the right thing with the ownership is; I assume as an owner he can push new versions, but certainly can't overwite existing ones. I'd be happier if the owners were people contributing to the project that we could establish a relationship with. Maybe there's a way to make that happen here.

Flags: needinfo?(james)

Keep in mind that any owner can also add or remove other owners. It's not possible to override existing releases.

I think it would be great if we could find a way to help Thomas transition to a peer and contributor. But I would shy away from making him a co-owner on crates.io, pointing to the module ownership policies we have at Mozilla.

I'm happy to chat with him again and check if he is interested in contributing. But I doubt given that he basically only packages geckodriver for CentOS. And there is even no maintainer listed yet for it:

https://centos.pkgs.org/7/getpagespeed-x86_64/firefox-geckodriver-0.26.0-1.el7.gps.x86_64.rpm.html

But given the final conversation from yesterday (after I commented here) he seems to be ok with it:

whimboo> regarding your ownership of the packages I would have to speak to legal if that's possible. Personally I feel it would be good if you would resign from it. It would make it clear that the crate comes from Mozilla, and no-one else can push new releases.
<ToToL> ok if you want 
Assignee: nobody → hskupin
Status: NEW → ASSIGNED
Priority: -- → P1

Also as he mentioned there is no need for those extra crates (marionette and moz-geckodriver) with our newest 0.27.0 release given that we offer the correct source tarballs for download again. So we should make sure to keep that intact for upcoming releases.

I revoked the owner permission for mozdevice from Thomas, but left the other two packages in-tact for now. If he is fine I will get those disabled.

Severity: -- → S3

As agreed with Thomas both crates for marionette and moz-geckodriver have been removed. Nothing more needs to be done here.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

(In reply to Henrik Skupin (:whimboo) [⌚️UTC+2] from comment #18)

As agreed with Thomas both crates for marionette and moz-geckodriver have been removed. Nothing more needs to be done here.

What's preventing Thomas (or anyone else) from adding new crates?
Is there value in holding the names ourselves, just to make sure?

Sorry for being unclear. You cannot remove a crate but only yank versions of it. So that is what I did. Also we are the owners now of mozdevice and marionette (which was never intended to get released).

Beside that we cannot stop users from modifying the crate name and publishing packages like moz-geckodriver. Once in a while we should simply check what's listed.

Is there value in holding the names ourselves, just to make sure?

If you end up reserving the names, keep in mind this part of the crates.io policy:

Using an automated tool to claim ownership of a large number of package names is not permitted. We reserve the right to block traffic or revoke ownership of any package we determine to have been claimed by an automated tool.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.