undefined | Better HN

0 pointsbonzini1y ago0 comments

Packages in a Linux distro are not built on my machine, they are built by the distro in a sandbox. Every time I type "cargo build" I am potentially running arbitrary code downloaded from the internet. Every time I type "make" in an Autotools program only my code runs.

> not requiring me to be an expert in another language just to audit it.

Do you do that every time your Cargo.lock changes?

0 comments

timschmidt1y ago

> Every time I type "make" in an Autotools program only my code runs.

Says who? Make is just as good at calling arbitrary code as Cargo. Including code that reaches out over the network. Have you audited every single makefile to ensure that isn't the case?

bonziniOP1y ago

I am talking about my makefiles. They don't automatically build dependencies that I have no control on.

Whereas building my crate can run code locally that no one has ever audited.

timschmidt1y ago

So... you're complaining about what could happen in a Rust build if you include a library without examining that library first? How do you think that is different from doing the same in any other language?

1 more reply

fragmede1y ago

seems trivial for a configure script to call curl/wget somewhere in the depths of it, no?

timschmidt1y ago

Exactly. And at least Cargo will refuse to download a crate which has been yanked. So any crate which has been discovered to be compromised can be yanked, preventing further damage even when someone has already downloaded something which depends on it.

Building packages with up-to-date dependencies is also vastly preferable to building against ancient copies of libraries vendored into a codebase at some point in the past, a situation I see far too often in C/C++ codebases.

Hackbraten1y ago

Debian’s rules files often deliberately sinkhole the entire network during the build. It’s not the worst idea.

fragmede1y ago

I wonder if you could do it inside the config script without the network.

j / k navigate · click thread line to collapse

0 pointsbonzini1y ago0 comments

> not requiring me to be an expert in another language just to audit it.

Do you do that every time your Cargo.lock changes?

0 comments

timschmidt1y ago

> Every time I type "make" in an Autotools program only my code runs.

Says who? Make is just as good at calling arbitrary code as Cargo. Including code that reaches out over the network. Have you audited every single makefile to ensure that isn't the case?

bonziniOP1y ago

I am talking about my makefiles. They don't automatically build dependencies that I have no control on.

Whereas building my crate can run code locally that no one has ever audited.

timschmidt1y ago

1 more reply

fragmede1y ago

seems trivial for a configure script to call curl/wget somewhere in the depths of it, no?

timschmidt1y ago

Hackbraten1y ago

Debian’s rules files often deliberately sinkhole the entire network during the build. It’s not the worst idea.

fragmede1y ago

I wonder if you could do it inside the config script without the network.

j / k navigate · click thread line to collapse