|
|
|
|
|
|
by rcxdude
1033 days ago
|
|
|
But the whole reaction here was 'this makes it more difficult to find security problems' (running a binary is not intrinsicly a security problem, if instead you are just going to compile it and then run it, it's just harder to audit a binary) and yet no-one was even doing the easy bit (auditing the source code). If someone had injected malicious code into the build.rs file it would have exactly the same effect. |
|
|
Someone did: the Fedora maintainer who raised the issue. One of the reasons I avoid installing from wild-west package managers like Cargo/NPM/..., is specifically because Debian/Fedora/... maintainers performs some basic checks like this so I don't have to.