undefined | Better HN

0 pointspacketlost2y ago0 comments

In the era of modern CI and build infrastructure, I don't really think that's materially an issue.

0 comments

Those CI and build infrastructures rely on the Debian and RedHat being able to build system packages.

How would an automated CI or build infrastructure stop this attack? It was stopped because the competent package maintainer noticed a performance regression.

In this case, this imagined build system would have to track every rust library used in every package to know which packages to perform an emergency release for.

packetlostOP2y ago

I... don't see your point. Tracking the dependencies a static binary is built with is already a feature for build systems, just maybe not the ones Debian and RH are using now, but I imagine they would if they were shipping static binaries.

Rust isn't really the point here, it's the age old static vs dynamic linking argument. Rust (or rather, Cargo) already tracks which version of a dependency a library depends on (or a pattern to resolve one), but it's besides the point.

ok1234562y ago

Rust is the issue here because it doesn't give you much of an option. And that option is the wrong one if you need to do an emergency upgrade of a particular library system-wide.

1 more reply

steveklabnik2y ago

> imagined

Cargo already has this information for every project it builds. That other systems do not is their issue, but it’s not a theoretical design.

ok1234562y ago

So, I know that librustxz has been compromised. I'm Debian. I must dive into each rust binary I distribute as part of my system and inspect their Cargo.toml files. Then what? Do I fork each one, bump the version, hope it doesn't break everything, and then push an emergency release!??!

1 more reply

j / k navigate · click thread line to collapse

0 comments

ok1234562y ago

Those CI and build infrastructures rely on the Debian and RedHat being able to build system packages.

How would an automated CI or build infrastructure stop this attack? It was stopped because the competent package maintainer noticed a performance regression.

In this case, this imagined build system would have to track every rust library used in every package to know which packages to perform an emergency release for.

packetlostOP2y ago

ok1234562y ago

Rust is the issue here because it doesn't give you much of an option. And that option is the wrong one if you need to do an emergency upgrade of a particular library system-wide.

1 more reply

steveklabnik2y ago

> imagined

Cargo already has this information for every project it builds. That other systems do not is their issue, but it’s not a theoretical design.

ok1234562y ago

1 more reply

j / k navigate · click thread line to collapse