[iveqy]

I'm curious about the security implications with using distcc. Doesn't this mean that if one computer gets compromised, the attacker can run code on all other computers using distcc, or secretly inject malicious code in the build result.

So using distcc means that all computers using it must be trusted. And that means that using it on "all developers computers to share the load" is good for performance but bad for security.

[pjc50]

Everything on the same LAN should generally be treated as "compromised/not compromised" together. There's rarely just a compromise of one machine in the same way there's never just one cockroach.

I'm not sure whether distcc affects reproducible builds?

You could, in any case, have tighter controls on the release builds, which would be done on a CI machine before signing.

(Back when I used distcc we didn't distribute across the dev machines, we had an entire build farm of two racks of 2U servers!)

[nicce]

> Everything on the same LAN should generally be treated as "compromised/not compromised" together. There's rarely just a compromise of one machine in the same way there's never just one cockroach.

I would not generalise so quickly. Is every computer compromised in the internet if one is compromised?

No. It highly depends on the trust between those machines and whether they share similar services with critical vulnerabilities. Only then, they might be compromised together.

But the world has evolved and not everyone anymore bases their total trust and security thinking for "no outside internet connection, we are fine".

[meinheld111]

> Is every computer compromised in the internet if one is compromised?

Internet is no lan (local area, L2) where computers do indeed typically have more generous policy regarding access between each other.

Think about the windows firewall asking whether you just connected to a work/public/home network

[ilyt]

> Everything on the same LAN should generally be treated as "compromised/not compromised" together. There's rarely just a compromise of one machine in the same way there's never just one cockroach.

That might've been true 10 years ago and still is in some case but I wouldn't assume that now, far more things run over encryption for example, or have firewall

[sourcefrog]

Yes, that's correct: reusing developer's computers means you're trusting all of them. At small scale, that may be acceptable because you probably trust them all a lot anyhow, and perhaps are unlikely to have a strictly hermetic and isolated build system.

When the team is bigger or when security is more important, it's important to have a build system where you're confident that no one can subvert the output, and that includes ensuring that very few people can control machines running distccd.

Another way in which it shows its age is that, by default, there are only netblock based restrictions on clients, and connections are over unencrypted TCP by default (last time I looked), although there is an option to use SSH (or I guess Tailscale or similar.)

[nubinetwork]

I don't know about other platforms... but on Gentoo, distcc is restricted to only running a small list of programs (ie gcc). That means you can't just send random commands to the distcc host from your "slow machines".

Granted, if your distcc host gets compromised, the compiled output shouldn't be trusted until the server can be reprovisioned.