| ▲ | jswny 6 hours ago |
| What’s the advantage of that for building? |
|
| ▲ | himata4113 5 hours ago | parent | next [-] |
| sandboxing, which feels a weird way to achieve that. Although the reason for it to begin with is because builds systems can typically access raw memory and disable artificial restrictions. I think this is a bad move since the real fix to these attacks is a sandboxed environment rather than a single tool implementing sandboxing. |
| |
| ▲ | insanitybit 5 hours ago | parent | next [-] | | These are not mutually exclusive, and one makes the other better. "Whole process" sandboxing has always been far worse than native sandboxing because when the devs writing the software design the software to be sandboxed they can achieve far more fine grained permissions. Similarly, "whole environment" sandboxes are the absolute worst - they're the least fine grained possible. The benefit of "whole environment" is that if you stuff everything into that environment then anything in it is confined, but it's all confined with everything stuffed in and is sort of maximally capable. You can rarely do things are significant as, say, system call filtering, because all software in the environment must continue to work and none of it was designed with that in mind. Native sandboxing like this will likely make auditing much easier as well. If a dependency requires something like "give me the ability to execute code on the OS", now it has to ask for it and now it gets additional scrutiny. Native sandboxing is and always will be the infinitely superior method when it's actually used. Whole process/ Environment is only what we use because of how rare native sandboxing is. | |
| ▲ | cornstalks 5 hours ago | parent | prev | next [-] | | How would you do it, then? Sandboxing a project's build.zig via Wasm (and the various dependencies's build.zig files) seems like a great improvement to me and is how I would personally try to sandbox the build process. | | |
| ▲ | afdbcreid 5 hours ago | parent | next [-] | | I don't know what build.zig commonly does, but in Rust build.rs often does things like compiling C/C++ libraries, so you can't sandbox it with WASM (contrary to proc macros, which most of the times can be compiled to WASM and there were/are efforts for that). How does Zig fare with that? | | |
| ▲ | audunw 36 minutes ago | parent | next [-] | | I assume the compiler(s) do not run in WASM. Just the build script. The build script just orchestrates the compilers. So you can run any compiler that the build script is given access to, so compiling C/C++ or potentially any other language shouldn’t be an issue. In theory, you could run the whole compiler (including C) in WASM as well but I don’t think that’s the goal? You kinda need to trust the compiler itself. | |
| ▲ | insanitybit 4 hours ago | parent | prev [-] | | Even if they end up with a "this dependency can execute arbitrary code" it'll be a huge win because that will be an explicit grant to that dependency. You'll be able to know "which of my dependencies execute arbitrary code?" and encourage most of them not to. In rust, you can know this but it's going to be "basically all of my dependencies can do it" because somewhere they'll use a build script/ proc macro. I don't know Zig's plan, but once you have the ability to broker privileges like this you have the ability to audit the privileges being brokered and things change forever. |
| |
| ▲ | himata4113 5 hours ago | parent | prev [-] | | Use containerized development systems: bwrap (my favorite), devcontainers.json, isolated server, anything really. You can't protect yourself against malicious vscode extensions with a zig build system sandbox. |
| |
| ▲ | hansvm 4 hours ago | parent | prev [-] | | It makes more sense when you view sandboxing as enabling project correctness in the presence of skilled, fallible maintainers rather than preventing explicit attacks. Solutions for the former do a lot to thwart attacks from the latter, but attack prevention (especially with the form of "just another sandbox") is unlikely to help with the former. |
|
|
| ▲ | skybrian 2 hours ago | parent | prev | next [-] |
| Not a lot if you're going to run the code anyway. But when looking at open source code you don't trust yet, you might want to build code, without running it, so your development tools will work. |
|
| ▲ | reinitctxoffset an hour ago | parent | prev [-] |
| I just got so fed up with Starlark trying to do a nontrivial RBE prelude that's fairly different than Meta's. I added WASM/WASI bindings and wrote the prelude in Haskell. Both the bindings and the prelude took less time than I already wasted on multiple attempts in Starlark that all collapsed into string goop. It's nice to be able to bound the execution environment in a build tool but still use a serious programming language. Given Zig has excellent support for targeting WASM, seems you'd get the same advantages. |