Harden updater rebuild environment#941
Conversation
ilysenko
left a comment
There was a problem hiding this comment.
Thanks for the security hardening work. Before investing more time in this approach, please note that addressing the findings below would not guarantee that this PR will be merged. Similar updater trust-boundary work is already being developed by the maintainer, with a focus on a simpler architecture. This implementation adds substantial complexity and long-term support cost, so the project may ultimately choose the alternative design and supersede this PR.
If you would still like to continue with this implementation, please address the following blockers:
- Run wrapper-source Git operations with a clean environment and a verified trusted executable, with coverage for poisoned
PATHand Git configuration. - Pin packaged rebuild feature inputs to a verified root-owned installed bundle instead of the configurable
builder_bundle_root. - Validate the canonical target and ancestry of every executable admitted to the trusted build
PATH. - Provide a supported trusted toolchain path and align native package dependencies, bootstrap documentation, proxy/CA behavior, and Cargo caching with it.
- Bump the updater crate version as required by CONTRIBUTING.md.
These issues currently leave bypasses in the intended pre-pkexec trust boundary and break the documented native auto-update setup.
Before requesting another maintainer review, please verify the complete change against CONTRIBUTING.md, run the relevant tests locally, perform an independent review of the full diff with a local LLM, and wait until every required CI check has completed successfully after the update.
Summary
Security impact
This closes two updater trust-boundary issues before a rebuilt package crosses the
pkexecboundary:The rebuilt package is now derived only from the bundled builder/feature tree and explicitly validated inputs.
Upstream integration
This branch is replayed onto current upstream
mainata8dbcb9. A conflict with949b68ewas resolved by keeping user-local, nvm, Cargo, and inherited PATH entries excluded from automated package rebuilds; those paths are incompatible with the privileged-package trust boundary addressed here.Validation
cargo fmt --all -- --check— passed after replay onto current upstreamgit diff --check upstream/main...HEAD— passedLocal retesting after the upstream replay is blocked on macOS by current upstream
updater/src/notify.rsusingnotify-rust.hint(...), which is unavailable from the selected macOS backend. This branch does not touch notification code or dependency selection, and upstream Linux CI is green at the exact base commit; this PR's Linux CI is the final platform gate.