unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* How to reduce our vulnerability from self-hosted compilers
@ 2015-02-26 23:22 Mark H Weaver
  2015-02-27 10:49 ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: Mark H Weaver @ 2015-02-26 23:22 UTC (permalink / raw)
  To: guix-devel

We are starting to add more self-hosted compilers, where our build
recipes are downloading pre-compiled binaries from upstream.  I'd like
to propose a policy for dealing with this in such a way that protects us
as much as possible from upstream security breaches.

So far, with self-hosted compilers other than GCC, our recipes are
simply downloading pre-compiled binaries for the latest version of the
compiler.  This makes us more vulnerable than necessary, because it
means that every time we update one of these compilers, that is a new
opportunity to get hacked.

Instead, I would prefer to do something closer to what we do in our core
bootstrap.  We should produce our own bootstrap binaries for each of
these self-hosted compilers.  Like our GCC bootstrap binaries, these
binaries should be updated very rarely.  Then, we should use our own
bootstrap binaries to build the latest version of any self-hosted
compiler.  In some cases, if the bootstrap binaries are too old to build
the latest compiler, this might involve multiple steps.

Just as we have recipes to produce bootstrap gcc and binutils, we should
have recipes to build bootstrap binaries for each self-hosted compiler
in our system.  Each time we produce an updated bootstrap compiler from
an earlier one, it should be done with our deterministic package such
that this update step can be independently verified by anyone who wishes
to do so.

What do you think?

      Mark

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: How to reduce our vulnerability from self-hosted compilers
@ 2015-02-27 11:25 Federico Beffa
  0 siblings, 0 replies; 4+ messages in thread
From: Federico Beffa @ 2015-02-27 11:25 UTC (permalink / raw)
  To: ludo; +Cc: Guix-devel

ludo@gnu.org (Ludovic Courtès) writes:

> It think it’s a good idea, but I wonder if it is generally applicable.
>
> For instance, ISTR that GHC can be built with a couple of older versions
> whereas MIT Scheme may well require itself.  What exactly is possible is
> not always well-documented and sometimes only known to few people.

For GHC (at least currently) it is well documented, see
https://ghc.haskell.org/trac/ghc/wiki/Building/Preparation/Tools

In principle I agree with Mark's suggestion. However, I have a couple of
comments.

My intention was to build GHC and get rid of the required GHC bootstrap
binary from GUIX altogether. With the current patch the store doesn't
need to include the bootstrap binaries which, when uncompressed,
requires 940MB! The compressed bootstrap binary archive is "only" 68MB.
(I'm thinking about download time here. But maybe we could force a local
"build" as discussed for TeXLive.)

The other point is: given that we know the hash of the tar file, if
somebody manages to hack them, we will detect it.

Regards,
Fede

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-02-27 21:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-26 23:22 How to reduce our vulnerability from self-hosted compilers Mark H Weaver
2015-02-27 10:49 ` Ludovic Courtès
2015-02-27 21:12   ` Andreas Enge
  -- strict thread matches above, loose matches on Subject: below --
2015-02-27 11:25 Federico Beffa

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).