Currently staticRead/staticExec do not have any limitations, but security of
this procedures can be fixed with limitations, e.g. limited to project
directory, absolute paths and so on.
@Lachu: the official Nim packages in Debian are using reproducible builds
successfully.
@cheatfate: sounds like you are describing staticRead and staticExec as a way
to obfuscate malicious code. There are many other ways to obfuscate Nim code
e.g. with complex macros. I wonder if sandboxing a b
`firejail` on nimble.
I don't known much about nim and compilation process. I known compilation same
C code on similar machine with similar system can produce different executable,
so there's reproductive compilation Debian project. But if nimble could install
dependencies, is there possible to write nim compilation
> Also it is possible that while building malicious application user will embed
> content of his own /etc/shadow or any other private information into binary.
So sandbox your build environment, it's the only thing that has a chance of
working. Everything else is like cleaning your teeth with a b
> There is little difference...
+1 to this. Also add nimblefiles to that, and then if you're using other build
systems, like makefiles, or gradle, this witch hunting quickly becomes
impractical. And then if we add --confirm flag, it is all-or-nothing, so once
you need one staticExec, you're und
@Araq this functions can be used to embed malware code into your
program/library and you even not notice it. Some packages from nimble
repository can be hacked and some hidden staticRead/staticExec can be inserted.
Also it is possible that while building malicious application user will embed
co
There are no such features. There is little difference in practice between "oh
this program does bad things at compile-time" and "oh this program does bad
things at runtime" and usually you compile a program in order to run it
afterwards...
Having said that, we could add a `--confirm` switch to
What can do staticRead and staticExec? Are there exist any restrictions? Is
there a way to restrict behavior, by (for example) passing command line
argument to compiler? I mean passing list of regexp. If programmer pass list of
regexp and staticRead (or staticExec) parameter don't match to any g