The waf problem (running nondeterministic binary blobs at build)

[rain1]

Hello

I think there is a danger in packaging programs that use the 'waf' build 
system. That may pass a regular source code audit.

If you look at the last line of a waf file you may see strange text like 
this:

#==>
#BZh91AY&Ha<F0><<F7><FB>n<F6>address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@^O^GL^U...
#<==

It looks exactly like a PHP backdoor e.g. 
<https://www.trustwave.com/Resources/SpiderLabs-Blog/Hiding-Webshell-Backdoor-Code-in-Image-Files/>

Now waf is not malicious, it is actually an encoded bzip file containing 
the waf build system python scripts, the waf script reads its own source 
code and unpacks that before loading and running it.

but I don't think the authenticity of these scripts is being verified, 
since they are not being looked at and are obfuscated they are the 
perfect vector to hide a malicious code/backdoor.

Hoping to see if any specific ones had been tampered or that they were 
all equal I checked the sums of the files:

SHA256 (./ardour/waf) = 
205a55cfcbb5e54a70136f7cea2413c7de8a12e69d76cb56eec7d995ff06c44d
$ sha256 ./samba-4.3.8/buildtools/bin/waf
SHA256 (./samba-4.3.8/buildtools/bin/waf) = 
da076fbe7e5a9415035185fc19ab15a26ad3df5486181c25f9117c9ac32a9389
$ sha256 ./samba-4.3.8/third_party/waf
SHA256 (./samba-4.3.8/third_party/waf) = 
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
$ sha256 ./jalv-1.4.6/waf
SHA256 (./jalv-1.4.6/waf) = 
71b3c875adc31c5bf2c5c22eee3efc6da960be90c65ac56dfa0ae6e02cc64201
$ sha256 ./aubio-0.4.1/waf
SHA256 (./aubio-0.4.1/waf) = 
a71e5c6bd78ddd5cc9c15d7391921a23ca1c2ab4b2f9a56c9fad08f93cf23771

All of them are different! I think the bzip data is being created in 
non-reproducible way. This provides extra cover for malicious code and 
is a problem for auditing.

There are signed waf files that can be gpg verified <https://waf.io/>, 
but they are not being used.

I noticed that the mpv package actually copies a waf file in from the 
waf build system instead of using a packaged one, but (like others) it 
includes a waftools tree of python scripts. Maybe a policy like that 
would be a good response (rejecting included waf with binary blobs in 
them and checking that included build scripts are safe).

Anyway I hope this information is useful to improving the security of 
guix. Whatever way you decide to address it.