From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: The waf problem (running nondeterministic binary blobs at build) Date: Tue, 26 Apr 2016 12:16:40 +0200 Message-ID: <87d1pcvfnb.fsf@gnu.org> References: <4a18bcd6782d6dd053be5bc1c732a525@openmailbox.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47437) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1av02w-0005Qi-LM for guix-devel@gnu.org; Tue, 26 Apr 2016 06:16:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1av02t-0008L1-Fh for guix-devel@gnu.org; Tue, 26 Apr 2016 06:16:46 -0400 In-Reply-To: <4a18bcd6782d6dd053be5bc1c732a525@openmailbox.org> (rain1@openmailbox.org's message of "Mon, 25 Apr 2016 14:20:13 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: rain1@openmailbox.org Cc: Guix Devel Hi! rain1@openmailbox.org skribis: > I think there is a danger in packaging programs that use the 'waf' > build system. That may pass a regular source code audit. > > If you look at the last line of a waf file you may see strange text > like this: > > #=3D=3D> > #BZh91AY&Ha<nl^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^O^GL^U= ... > #<=3D=3D Ouch. > Now waf is not malicious, it is actually an encoded bzip file > containing the waf build system python scripts, the waf script reads > its own source code and unpacks that before loading and running it. In a way this is similar to Autoconf-generated =E2=80=98configure=E2=80=99 = scripts, only more =E2=80=9Cconcealed.=E2=80=9D One could argue that this is source, in the form of a self-extracting archive, but source anyway. We could regenerate the =E2=80=98waf=E2=80=99 script of all Waf-using packa= ges instead of using the provided one. However, we risk encountering incompatibilities, which is probably one of the reasons why Waf does this. But we would need to apply the same reasoning to Autoconf/Automake-generated files; this is what Debian does, but it would defeat the whole purpose of these tools, which is to facilitate bootstrapping by requiring nothing more than a Bourne shell and =E2=80=98ma= ke=E2=80=99. > but I don't think the authenticity of these scripts is being verified, > since they are not being looked at and are obfuscated they are the > perfect vector to hide a malicious code/backdoor. As for all packages, packagers should check the authenticity of the tarball that contains the =E2=80=98waf=E2=80=99 script. There is still the possibility, though, that the developer who produced the tarball was themself a victim of a targeted attack that led them to introduce a backdoored =E2=80=98waf=E2=80=99 into the tarball. But the sam= e could be said of Autoconf, I suppose. Thoughts? Ludo=E2=80=99.