[badjeans]

I found Nim's gorge command really useful. It runs a command at compile time and stores the output in a variable, so you can simply do things like:

    const compile_version = gorge "git describe --tags --always --dirty"
    const compile_time = gorge "date --rfc-3339=seconds"

[simse]

That is very nice, thank you for sharing

[Philip-J-Fry]

So simply compiling code could execute any random code? How is that safe?

[TheDong]

It is the normal way of the world. Makefiles are arbitrary code execution. 'build.rs' in rust is the same. npm's package.json has an install script.

Often this arbitrary code is to do things like run "pkg-config --libs" or such to find dependencies to link against, or generate some files that shouldn't be checked into source code, but rarely does it have sandboxing or other restrictions.

Languages, like Go, which don't let a package execute arbitrary code on installation are the exception.

[howdydoo]

What do you normally do with code after you compile it?

[capableweb]

It's never safe to compile code, of course it can execute any random code, otherwise it would be useless...

[TheDong]

It's true that most languages's build systems (nim, rust, autotools, makefiles, etc) are unsafe to execute if you do not trust them.

Go does stand in contrast to this. `go get` and `go build` cannot execute arbitrary code, and if you use those two commands to build untrusted code, in theory your machine should still remain uncompromised. They release CVEs for any issues here (such as https://github.com/golang/go/issues/29231).

Of course, if you run the code you compiled, that is unsafe, but just compiling it is supposed to be fine.