[Pkg-geany-team] Processed: retitle 654462 to Doesn't contain source for waf binary code ...
Jonas Smedegaard
dr at jones.dk
Wed Jan 4 13:06:16 UTC 2012
On 12-01-04 at 12:26pm, Barak A. Pearlmutter wrote:
> > How can the Debian project rest assured that that the binary indeed
> > is (only!) unpacking itself when executed?
>
> > Also, that it is the case for _every_ new upstream release, not only
> > once when you cared to investigate closely.
>
> Although that is a serious issue, *exactly* the same issue is present
> for *all* upstream sources, not just waf files. How do we know that
> some new configure.ac is safe to run autoreconf;./configure on? How
> do we know that some new C sources are safe? How do we know that a
> TIF file does not contain executable instructions which are cleverly
> jumped into by a carefully crafted deliberate typo? As far as I can
> tell, waf files used in the build process are a bit painful to examine
> and audit, but then so are .m4 autoconf macros.
>
> So the true answer is that we do our best, but (at least, without
> formal methods) we cannot "rest assured" without manual checking,
> running inside sandboxes, syscall tracing, etc. And even then, our
> slumber should be somewhat uneasy.
>
> In this regard, waf files are no different from any other scripts
> executed at build time.
Well, the very issue is that the code is binary: After each
git-import-orig I skim imported changes with "git log -p --color-words".
Not bullet-proof but better than simply trusting upstream.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-geany-team/attachments/20120104/267ee400/attachment-0001.pgp>
More information about the Pkg-geany-team
mailing list