From: Alex Griffin <a@ajgrf.com>
To: guix-devel@gnu.org
Subject: Re: The waf problem (running nondeterministic binary blobs at build)
Date: Sat, 30 Apr 2016 18:55:25 -0500 [thread overview]
Message-ID: <1462060525.745798.594497289.456F27DF@webmail.messagingengine.com> (raw)
In-Reply-To: <87d1pcvfnb.fsf@gnu.org>
Debian replaces all binary 'waf' files with their own
'waf-uncompressed'. I think our python-waf package should be altered to
produce an uncompressed version, then the waf-build-system should
automatically use that (look at the python-pycairo package for an
example of using the system's waf version instead of the bundled one).
--
Alex Griffin
On Tue, Apr 26, 2016, at 05:16 AM, Ludovic Courtès wrote:
> Hi!
>
> rain1@openmailbox.org skribis:
>
> > I think there is a danger in packaging programs that use the 'waf'
> > build system. That may pass a regular source code audit.
> >
> > If you look at the last line of a waf file you may see strange text
> > like this:
> >
> > #==>
> > #BZh91AY&Ha<F0><<F7><FB>n<F6>l^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^O^GL^U...
> > #<==
>
> Ouch.
>
> > Now waf is not malicious, it is actually an encoded bzip file
> > containing the waf build system python scripts, the waf script reads
> > its own source code and unpacks that before loading and running it.
>
> In a way this is similar to Autoconf-generated ‘configure’ scripts, only
> more “concealed.”
>
> One could argue that this is source, in the form of a self-extracting
> archive, but source anyway.
>
> We could regenerate the ‘waf’ script of all Waf-using packages instead
> of using the provided one. However, we risk encountering
> incompatibilities, which is probably one of the reasons why Waf does
> this.
>
> But we would need to apply the same reasoning to
> Autoconf/Automake-generated files; this is what Debian does, but it
> would defeat the whole purpose of these tools, which is to facilitate
> bootstrapping by requiring nothing more than a Bourne shell and ‘make’.
>
> > but I don't think the authenticity of these scripts is being verified,
> > since they are not being looked at and are obfuscated they are the
> > perfect vector to hide a malicious code/backdoor.
>
> As for all packages, packagers should check the authenticity of the
> tarball that contains the ‘waf’ script.
>
> There is still the possibility, though, that the developer who produced
> the tarball was themself a victim of a targeted attack that led them to
> introduce a backdoored ‘waf’ into the tarball. But the same could be
> said of Autoconf, I suppose.
>
> Thoughts?
>
> Ludo’.
>
next prev parent reply other threads:[~2016-04-30 23:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-25 13:20 The waf problem (running nondeterministic binary blobs at build) rain1
2016-04-26 10:16 ` Ludovic Courtès
2016-04-30 23:55 ` Alex Griffin [this message]
2016-05-01 13:25 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1462060525.745798.594497289.456F27DF@webmail.messagingengine.com \
--to=a@ajgrf.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).