Remix.run Logo
g-b-r 2 hours ago

If you distribute generated artifacts you're not really distributing the source (and thus xz can happen)

Even for documentation, you'd think it would be harmless to generate it, but it's far from a given that the tools (e.g. browsers) used to read it are safe from malicious documentation files

cygx an hour ago | parent [-]

it's far from a given that the tools (e.g. browsers) used to read it are safe from malicious documentation files

Generated HTML files are potentially easier to audit than the scripts/toolchains used to generate them on an end user's machine if you do not pre-generate them.

Off the top of my head, other things I've done is committing RELAX NG *.rnc files, but shipping *.rng files, or generating C header files for various types of data (think `xxd -i` in case of binary files, but also just large chunks of plain text that gets wrapped into a C string).

g-b-r an hour ago | parent [-]

Hmm, potentially, the problem is that hardly anyone ever audits packages, while at least someone occasionally gives a look at a repository history

Can't the things you list be part of the build scripts?

cygx an hour ago | parent [-]

Sure - but running build scripts on an end-user's machine requires the user to have all relevant tools installed, and isn't exactly reducing the attack surface...

I still like the idea of shipping tarballs that include generated files instead of pulling input files from source control. As mentioned, the first thing that came to mind to make things easier to audit is to stick their contents into a community-controlled VCS.