From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) by sourceware.org (Postfix) with ESMTPS id 4CE013858D34; Sat, 6 Apr 2024 13:00:16 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4CE013858D34 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 4CE013858D34 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a00:1450:4864:20::232 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712408418; cv=none; b=hBN47FFT6d2Zxe+NEtHw9uxZrqpBJxVFqtYzvxGHBOsBT5KvHNhN6hKmoZZi1NYFiBiz7ZfHUc2sbHPDBt3o88z9xqWeR9n96r2L56EzFqKdvOa9tAshLo02dWrmC7PNf5q2xjb88QFWk77ABAdJA4e4t5U2SYdh3k94TKejnuI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712408418; c=relaxed/simple; bh=6s4+Q5QxzKR7MqCjNReV7ckR+R1yf+mdh/HV5a6LFjQ=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=m+TmuwEw7KtWqFBrcxoWEjr6l691eSyphbXNiYOZdDLIMMr8KfChTlflnfOElXyuw5vSzulbA4Icpcj8780NOABzhudjMt9EDJp644GLJ1SvwFYR25CntB+x/8XEmkod5zyKttM2CxwUq17SZOqi9GnaDlV8whNqWNt8Qy7jwCc= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2d476d7972aso39614711fa.1; Sat, 06 Apr 2024 06:00:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712408415; x=1713013215; darn=sourceware.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=pPuMZvff/jvzqKLtGjdlc9W9aY7G4htFJ4x8ASeEElg=; b=WBQqvXlgjzbpkkNRxjXKibs6kVeLjR8z3OxF4C4FRlD/ta6wgUmuT+2ocOKoFXoAk+ Qgy3mSDe6lGccMPfn0SU0KLp5y0MYkRJE8YJB6A1EcdCVJRWVDZblt3aubL6gDhcG8ER iVbTK90Lc5p4+X7nAFdh8NmSfFc7bj5+oe+Qq7pqL0FXsH6zbUZGZPmvoaAc8tRDZ9KO S0JajfrCiIvQJ6j0Okz+XI9Cz8KNjYFc407KtoiadnHqmX5ueqdiEMFMTuWzV0HQg7tI 14D9InVIjtoO0eVbJtKp2d1yu3mmJQf2bVAWlUDVJS8FoBnDlw1DQecEO9pEVpuoElnl kSjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712408415; x=1713013215; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pPuMZvff/jvzqKLtGjdlc9W9aY7G4htFJ4x8ASeEElg=; b=IxsmSJe1MImon3Sy7HHvs6LQ5/4p48PlpAGqjrxnHJwG4oe27KCZdzPm66/UDtqB66 p+enYjIXCOUYHh+bjDZ7LoLA9yLB2WqybVHK7s5PbeTHHZ/rYuhyCTUlGHjrech+qgCd QoeCUTuEMFBsWKDGFtATENgYPBX0sGdmlIimDJwVZUIqJgTGX0tk6TJJU+SSu4DEW4uX bw3btNBLCyNLH4B98CAIYMqaIFkllyJ7SIhz3PI0yMgPoNlU7F3Ta537Nr2U12QZn9lb T3ogZGjKXHL+kVINNn7xMEF1qDUN+BVCzaNe6qa2VGnjXpFcGmboS0UEDSujFA955THe UTWA== X-Forwarded-Encrypted: i=1; AJvYcCW/7Q3Ze6B/BBQhL/inAMCyiLlNkU6BcIhXs2jhsFEDPJqT4tvMEOVB00nMmk9Se/nev8x6oy0p1u8nWLW8BdoA5rRuaqJFGumqjU7dlWaLLbrzQWmpuUiyCHedKdZqWm/4yHATg5z/oLUUmxvEN238+hzrr02s2XqrpBFBKcqV6MLa7rFQlTID+osWdPstoTs= X-Gm-Message-State: AOJu0YwcuGLjZbzcP2nN1BRNaZfmnu+Xn0Pxog1K+4f++8CZfH6xzcCC R2Wa7tnxauFS+GhE+fJllmN78bzSrWn8YzURbIoh9ueV8KrW4wKHpWZok11JJd/7swBy2FY7+tK oFP7t6+lo+6nZyCjQnGLCYr9CWxc= X-Google-Smtp-Source: AGHT+IGyMgg/84NFtYzAe5PRTlPDwy1qUq2uXmn70j4n0IE34lDvqHwLIU7So/8MUg79Sk2dendMX9CvCb+uttHEkOE= X-Received: by 2002:a05:6512:4859:b0:516:d14b:435f with SMTP id ep25-20020a056512485900b00516d14b435fmr2812282lfb.14.1712408414577; Sat, 06 Apr 2024 06:00:14 -0700 (PDT) MIME-Version: 1.0 References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <8d84f989031aa34eae919f8ff2d3cb4e60faf6a7.camel@gwdg.de> In-Reply-To: From: Richard Biener Date: Sat, 6 Apr 2024 15:00:03 +0200 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Andrew Sutton Cc: Martin Uecker , Jonathon Anderson , Michael Matz , Ian Lance Taylor , Paul Koning , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Fri, Apr 5, 2024 at 11:18=E2=80=AFPM Andrew Sutton via Gcc wrote: > > > > > > > > > > I think the key difference here is that Autotools allows arbitrarily > > generated code to be executed at any time. More modern build systems > > require the use of specific commands/files to run arbitrary code, e.g. > > CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Meson > > ([`run_command()`][1]), Cargo ([`build.rs`][4]).\ > > > > To me it seems that Cargo is the absolute worst case with respect to > > supply chain attacks. > > > > It pulls in dependencies recursively from a relatively uncurated > > list of projects, puts the source of all those dependencies into a > > hidden directory in home, and runs Build.rs automatically with > > user permissions. > > > > 100% this. Wait until you learn how proc macros work. proc macro execution should be heavily sandboxed, otherwise it seems compiling something is enough to get arbitrary code executed with the permission of the compiling user. I mean it's not rocket science - browser= s do this for javascript. Hmm, we need a webassembly target ;) Richard.