On Fri, Apr 5, 2024 at 11:18 PM Andrew Sutton via Gcc <gcc@gcc.gnu.org> wrote: > > > > > > > > > > I think the key difference here is that Autotools allows arbitrarily > > generated code to be executed at any time. More modern build systems > > require the use of specific commands/files to run arbitrary code, e.g. > > CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Meson > > ([`run_command()`][1]), Cargo ([`build.rs`][4]).\ > > > > To me it seems that Cargo is the absolute worst case with respect to > > supply chain attacks. > > > > It pulls in dependencies recursively from a relatively uncurated > > list of projects, puts the source of all those dependencies into a > > hidden directory in home, and runs Build.rs automatically with > > user permissions. > > > > 100% this. Wait until you learn how proc macros work.
proc macro execution should be heavily sandboxed, otherwise it seems compiling something is enough to get arbitrary code executed with the permission of the compiling user. I mean it's not rocket science - browsers do this for javascript. Hmm, we need a webassembly target ;) Richard.
