From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: How to reduce our vulnerability from self-hosted compilers
Date: Thu, 26 Feb 2015 18:22:13 -0500
Message-ID: <87385s8di2.fsf@netris.org>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59069)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YR7kr-0001vw-0l
	for guix-devel@gnu.org; Thu, 26 Feb 2015 18:22:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YR7kl-0004FY-To
	for guix-devel@gnu.org; Thu, 26 Feb 2015 18:22:04 -0500
Received: from world.peace.net ([50.252.239.5]:43077)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1YR7kl-0004FO-QI
	for guix-devel@gnu.org; Thu, 26 Feb 2015 18:21:59 -0500
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: guix-devel@gnu.org

We are starting to add more self-hosted compilers, where our build
recipes are downloading pre-compiled binaries from upstream.  I'd like
to propose a policy for dealing with this in such a way that protects us
as much as possible from upstream security breaches.

So far, with self-hosted compilers other than GCC, our recipes are
simply downloading pre-compiled binaries for the latest version of the
compiler.  This makes us more vulnerable than necessary, because it
means that every time we update one of these compilers, that is a new
opportunity to get hacked.

Instead, I would prefer to do something closer to what we do in our core
bootstrap.  We should produce our own bootstrap binaries for each of
these self-hosted compilers.  Like our GCC bootstrap binaries, these
binaries should be updated very rarely.  Then, we should use our own
bootstrap binaries to build the latest version of any self-hosted
compiler.  In some cases, if the bootstrap binaries are too old to build
the latest compiler, this might involve multiple steps.

Just as we have recipes to produce bootstrap gcc and binutils, we should
have recipes to build bootstrap binaries for each self-hosted compiler
in our system.  Each time we produce an updated bootstrap compiler from
an earlier one, it should be done with our deterministic package such
that this update step can be independently verified by anyone who wishes
to do so.

What do you think?

      Mark