| ▲ | exDM69 5 days ago |
| The same applies to any Makefile, the Python script invoked by CMake or pretty much any other scriptable build system. They are all untrusted scripts you download from the internet and run on your computer. Rust build.rs is not really special in that regard. Maybe go build doesn't allow this but most other language ecosystems share the same weakness. |
|
| ▲ | pdw 5 days ago | parent | next [-] |
| Right, people forget that the xz-utils backdoor happened to a very traditional no-dependencies C project. |
| |
| ▲ | theteapot 5 days ago | parent [-] | | xz-utils has a ton of build dependencies. The backdoor implant exploited a flaw in an m4 macro build dep. |
|
|
| ▲ | cedws 5 days ago | parent | prev | next [-] |
| Yes but it's the fact that cargo can pull a massive unreviewed dependency tree and then immediately execute code from those dependencies that's the problem. If you have a repo with a Makefile you have the opportunity to review it first at least. |
| |
| ▲ | duped 5 days ago | parent | next [-] | | Do you review the 10k+ lines of generated bash in ./configure, too? | | |
| ▲ | cozzyd 5 days ago | parent [-] | | ./configure shouldn't be in your repo unless it's handwritten | | |
| ▲ | johnisgood 5 days ago | parent [-] | | Pretty much. It is called "autotools" for a reason. Theoretically you should be able to generate the configuration scripts through "autoconf" (or autoreconf), or generate Makefile.in for configure from Makefile.am using "automake", etc. |
|
| |
| ▲ | pharrington 5 days ago | parent | prev [-] | | You are allowed to read Cargo.toml. | | |
| ▲ | cedws 5 days ago | parent [-] | | Cargo.toml does not contain the source code of dependencies nor transient dependencies. | | |
| ▲ | magackame 5 days ago | parent [-] | | Welp, `cargo tree`, 100 nights and 100 coffees then it is | | |
| ▲ | marshray 5 days ago | parent | next [-] | | Yes! I sometimes set up a script that runs several variations on 'cargo tree', as well as collects various stats on output binary sizes, lines of code, licenses, etc. The output is written to a .txt file that gets checked-in. This allows me to easily observe the 'weight' of adding any new feature or dependency, and to keep an eye on the creep over time as the project evolves. | |
| ▲ | johnisgood 5 days ago | parent | prev [-] | | You will need something stronger than caffeine. |
|
|
|
|
|
| ▲ | Bridged7756 5 days ago | parent | prev [-] |
| In JavaScript just the npm install can fuck things up. Pre-install scripts can run malicious code. |
