From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=f1GI=LL=gmail.com=richard.guenther@sourceware.org>
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129])
	by sourceware.org (Postfix) with ESMTPS id 60E703858D35
	for <gcc@gcc.gnu.org>; Sat,  6 Apr 2024 13:00:16 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 60E703858D35
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 60E703858D35
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a00:1450:4864:20::129
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712408418; cv=none;
	b=PCcGbtfJWLjQYL44sk+IfwgBxRPaSFWE2Iv2OuHsdRCJ+mE5jOcXAzqNewJtORh7BCYvcBYVny8okUd+m41DZWI83G4KsCPUEy1iMvGHzH5Pu1YKu6sezXWKch1bdvC7wQl6vMLKvroaFO6SJEwzt7oFR+yypTD0jug+/JMDGDk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1712408418; c=relaxed/simple;
	bh=6s4+Q5QxzKR7MqCjNReV7ckR+R1yf+mdh/HV5a6LFjQ=;
	h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=Gm/A2NeKoCnZGFGAkmtyb5ca96Fl7TmTP8lzqX5TWY1y01YunG4kza39iYQjWb1eWFMI0lJVzB0nyZb9sxDe1CJoVy7eiy3bX6PoSFIMvQGmlbXUbzx6MbOkMyf5Mo969DEteHSJRpZ9aPbVxQ5zq2ImXF/8AWhaGIOnWLBvKYY=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-516d0162fa1so3452046e87.3
        for <gcc@gcc.gnu.org>; Sat, 06 Apr 2024 06:00:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712408415; x=1713013215; darn=gcc.gnu.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pPuMZvff/jvzqKLtGjdlc9W9aY7G4htFJ4x8ASeEElg=;
        b=NpbH6uQetEQD/Ub+ZK1V3L6JRyg/AlEtP5LgJsydiR9kHxA8j07CIQy8/yGmR0pOdv
         J9p9jX4uoaCBZaVuZl1lg6WarBeYGVbSMmArAiXD5qKHcIOPFZBSDY780yOmRMTwL4Sc
         uMuenF747BkOrL77Sb541pWMlT4LxuHX1zayq6LOUU0GpWzI2dve9LORDvh1TeAaHKp8
         oHpLcwbj6yTv9kF60crykTCXMPxWPEcl65KdxeH7fjOnBwjb6oEPNO5fI5aPkC9zylnQ
         40/VWZN6p4jPAQhSZsi33YPPViamIx8JSfZCn7Mww510g/xtQXPZcVJXwGNjjbUmecaq
         gpzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712408415; x=1713013215;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=pPuMZvff/jvzqKLtGjdlc9W9aY7G4htFJ4x8ASeEElg=;
        b=fn+b7eyvXO4uP5CXEs5InAf8I4n1HOtuzbO/Gw6u2sjvINBB4oiT2XyA9YShjEQLt7
         6iO0JJ5jJ8alDMPBPDc3EkCIUcII6eJLHhUqbQjwt6ww7cC2eBoBRIWlITzVVW0Pv/VJ
         XznIMME8MB+VcJRvIJHmGhxyNf3BSmDXyHkEzfnbdYwqkZGS8pN/WbIXu82HCAZUh0Wt
         YSX5q/disLa0jklDdSwoQShJaE2RF2MnmR4+3mrcI1fqJLObV3lVOAU+rNHExRvoVTz2
         pa6fzyD0Jh8141SDlyY5rpzt7MGtzahIh88n1Btl+/lRqpyJU2tjCbDxwMcAWy5N25a6
         OGbw==
X-Forwarded-Encrypted: i=1; AJvYcCXDbOT0NZnj2q55OaW5oRASFgYXtFkCRXtol3iS7wNX7I87xEaVMT5jSFe+nTC52qv4LJocXhRtaysD90rMpg0=
X-Gm-Message-State: AOJu0YwYqwjHWEU97LdLDLCYP5IHDhl0e7vnwiRmksvJAnWttmSh9Aa6
	2tR6CF/+mzyW1RWowbLuHcNT7d0tMViBqM264DfAEaofN9+r+XDJ6WGtA+EOWHBOQ0rKAuWlFPw
	b897S6MSHStGhKOa7F8VJqWcfiS8=
X-Google-Smtp-Source: AGHT+IGyMgg/84NFtYzAe5PRTlPDwy1qUq2uXmn70j4n0IE34lDvqHwLIU7So/8MUg79Sk2dendMX9CvCb+uttHEkOE=
X-Received: by 2002:a05:6512:4859:b0:516:d14b:435f with SMTP id
 ep25-20020a056512485900b00516d14b435fmr2812282lfb.14.1712408414577; Sat, 06
 Apr 2024 06:00:14 -0700 (PDT)
MIME-Version: 1.0
References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org>
 <fc3d8fe6-bfec-474d-a9ed-895067654603@baylibre.com> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu>
 <FC0B14DF-0B05-4896-B70F-7D994961D5C2@comcast.net> <CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
 <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at>
 <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <cfa8d1d4ffddc1133e3477de31d2237e13bda2d0.camel@gmail.com>
 <8d84f989031aa34eae919f8ff2d3cb4e60faf6a7.camel@gwdg.de> <CAFVAEf3j=BGZYu+dm8KmRKK9P1ONopuT=QWBHuJnjtXhqY672g@mail.gmail.com>
In-Reply-To: <CAFVAEf3j=BGZYu+dm8KmRKK9P1ONopuT=QWBHuJnjtXhqY672g@mail.gmail.com>
From: Richard Biener <richard.guenther@gmail.com>
Date: Sat, 6 Apr 2024 15:00:03 +0200
Message-ID: <CAFiYyc11pjFtSkJbEJqhDN39YKx=XibgDpfZ7xsgS77EDM+1gw@mail.gmail.com>
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
To: Andrew Sutton <asutton.list@gmail.com>
Cc: Martin Uecker <muecker@gwdg.de>, Jonathon Anderson <anderson.jonathonm@gmail.com>, 
	Michael Matz <matz@suse.de>, Ian Lance Taylor <iant@golang.org>, Paul Koning <paulkoning@comcast.net>, 
	Paul Eggert <eggert@cs.ucla.edu>, Sandra Loosemore <sloosemore@baylibre.com>, 
	Mark Wielaard <mark@klomp.org>, overseers@sourceware.org, gcc@gcc.gnu.org, 
	binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc.gcc.gnu.org>

On Fri, Apr 5, 2024 at 11:18=E2=80=AFPM Andrew Sutton via Gcc <gcc@gcc.gnu.=
org> wrote:
>
> >
> >
> >
> > > I think the key difference here is that Autotools allows arbitrarily
> > generated code to be executed at any time. More modern build systems
> > require the use of specific commands/files to run arbitrary code, e.g.
> > CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Meson
> > ([`run_command()`][1]), Cargo ([`build.rs`][4]).\
> >
> > To me it seems that Cargo is the absolute worst case with respect to
> > supply chain attacks.
> >
> > It pulls in dependencies recursively from a relatively uncurated
> > list of projects, puts the source of all those dependencies into a
> > hidden directory in home, and runs Build.rs automatically with
> > user permissions.
> >
>
> 100% this. Wait until you learn how proc macros work.

proc macro execution should be heavily sandboxed, otherwise it seems
compiling something is enough to get arbitrary code executed with the
permission of the compiling user.  I mean it's not rocket science - browser=
s
do this for javascript.  Hmm, we need a webassembly target ;)

Richard.