Hacker News new | ask | show | jobs
by monocasa 1032 days ago
> almost none of these people have audited a `build.rs` file or a proc macro implementation which effectively runs as you, completely unsandboxed

The biggest orgs tend to run all of their builds sandboxed, including what happens with build.rs. It's part of how they enforce dependency management day to day, but also helps protect against supply chain attacks.

So not everyone does, but enough people do that you can rely on their complaints for the more well trodden parts of the ecosystem.
2 comments
mmastrac 1032 days ago
> The biggest orgs tend to run all of their builds sandboxed, including what happens with build.rs. It's part of how they enforce dependency management day to day, but also helps protect against supply chain attacks.

Sandboxing doesn't completely prevent supply-chain attacks. You can avoid getting persistent malware on your CI machines, sure. Exfiltration of tokens and secrets during build? Maybe in a small handful of CI setups where admins have carefully split the source fetch, or limited CI network access to Nexus. Exfiltration of tokens and secrets and/or backdooring after the software has been deployed to production? No, build-time sandboxing doesn't help here at all.

On all developer machines as well? No. Very few big orgs do this and only for mission-critical stuff. Some very important ones have docker-based sandboxed workflows or SSH-to-sandboxed-cluster workflows, or air-gapped laptops but that's very, very rare (I worked in air-gapped environment for a bit and it was a massive pain).

link
monocasa 1032 days ago
> Sandboxing doesn't completely prevent supply-chain attacks.

Correct, it's more a defense in depth technique, not a complete defense.

> On all developer machines as well? No. Very few big orgs do this and only for mission-critical stuff.

All builds at Google for instance use the model I laid out including 'developer builds'.

link
mmastrac 1032 days ago
Oh wow. I'd be very interested in hearing how they sandbox rust-analyzer. I found a discussion of supporting the analyzer itself by generating config files [1][2], but not how you can sandbox it.

That would be extremely useful as the analyzer is a pretty juicy target and also runs proc-macros/build.rs scripts.

[1] https://github.com/bazelbuild/rules_rust/pull/384

[2] https://bazelbuild.github.io/rules_rust/rust_analyzer.html

link
mike-cardwell 1031 days ago
Sandboxing rust-analyzer is fairly easy. Here's how I did it:

https://www.grepular.com/Sandbox_Rust_Development_with_Rust_...

Well, that's a bit out of date now as I use podman, to get around the sudo issues. But that's the basic idea.

link
fnordpiglet 1032 days ago
Yeah everywhere I’ve been at back to 1995 does this for high security environments, and if we detected an issue we had security response teams that worked with maintainers and others to remediate.

For lower environments we generally used 3 month or more embargoes on precompiled stuff we couldn’t easily compile ourselves to mitigate some of the supply chain issues if we weren’t directly managing the chain of trust for the binary.

link