guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The waf problem (running nondeterministic binary blobs at build)

From: Alex Griffin
Subject: Re: The waf problem (running nondeterministic binary blobs at build)
Date: Sat, 30 Apr 2016 18:55:25 -0500 
Debian replaces all binary 'waf' files with their own
'waf-uncompressed'. I think our python-waf package should be altered to
produce an uncompressed version, then the waf-build-system should
automatically use that (look at the python-pycairo package for an
example of using the system's waf version instead of the bundled one).
-- 
Alex Griffin


On Tue, Apr 26, 2016, at 05:16 AM, Ludovic Courtès wrote:
> Hi!
> 
> address@hidden skribis:
> 
> > I think there is a danger in packaging programs that use the 'waf'
> > build system. That may pass a regular source code audit.
> >
> > If you look at the last line of a waf file you may see strange text
> > like this:
> >
> > #==>
> > #BZh91AY&Ha<F0><<F7><FB>n<F6>address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@address@hidden@^O^GL^U...
> > #<==
> 
> Ouch.
> 
> > Now waf is not malicious, it is actually an encoded bzip file
> > containing the waf build system python scripts, the waf script reads
> > its own source code and unpacks that before loading and running it.
> 
> In a way this is similar to Autoconf-generated ‘configure’ scripts, only
> more “concealed.”
> 
> One could argue that this is source, in the form of a self-extracting
> archive, but source anyway.
> 
> We could regenerate the ‘waf’ script of all Waf-using packages instead
> of using the provided one.  However, we risk encountering
> incompatibilities, which is probably one of the reasons why Waf does
> this.
> 
> But we would need to apply the same reasoning to
> Autoconf/Automake-generated files; this is what Debian does, but it
> would defeat the whole purpose of these tools, which is to facilitate
> bootstrapping by requiring nothing more than a Bourne shell and ‘make’.
> 
> > but I don't think the authenticity of these scripts is being verified,
> > since they are not being looked at and are obfuscated they are the
> > perfect vector to hide a malicious code/backdoor.
> 
> As for all packages, packagers should check the authenticity of the
> tarball that contains the ‘waf’ script.
> 
> There is still the possibility, though, that the developer who produced
> the tarball was themself a victim of a targeted attack that led them to
> introduce a backdoored ‘waf’ into the tarball.  But the same could be
> said of Autoconf, I suppose.
> 
> Thoughts?
> 
> Ludo’.
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]