On Thu, 4 Mar 2021 16:14:08 +0100 to...@tuxteam.de wrote: > On Thu, Mar 04, 2021 at 09:21:46AM -0500, Celejar wrote: > > On Thu, 4 Mar 2021 14:17:59 +0100 > > <to...@tuxteam.de> wrote: > > > > > On Thu, Mar 04, 2021 at 08:10:45AM -0500, Celejar wrote: > > > > On Thu, 4 Mar 2021 09:41:13 +0000 > > > > Joe <j...@jretrading.com> wrote: > > > > > > > > ... > > > > > > > > > Undoubtedly. But there is also no doubt that gcc and every other > > > > > serious compiler in the West has been compromised. Why would they > > > > > *not* > > > > > be? > > > > > > > > Do you have any evidence for this, or is it just your assumption, > > > > because "why would they not be?" > > > > > > You mean GCC specifically or some examples of build chain attacks > > > in general? Because in the second case there are some nice specimens > > > out there. > > > > I'm interested in anything, although my comment was focused > > particularly on things as critical, fundamental, and ubiquitous as GCC > > and "every other serious compiler." > > Two off the top of my head > > - Sometime 2017 [1], Microsoft put out a version of Visual Studio > which baked "phone home" functionality into its compiled "products". > Make no mistake: it phoned Microsoft. Imagine you compile an > application for your customer, and this app phones... Microsoft. > > Some hilarity ensued. They said "oh, sorry. It wasn't with bad > intentions" and reverted it. > > I call this pattern "Emergent Evil".
Outrageous, certainly - this sort of thing is one of the reasons I use linux and avoid Microsoft products to the extent I find practical. But I don't consider this a "build-chain attack." > - NPM buildchain attacks are more and more frequent. Just publish > a package out there and wait until someone takes the bait. > An especially nice one was the event-stream [2] episode, where > the malicious code only injected malicious code (yes, really) > when it noticed that it was "in" the right build environment. > Nice read. I'm sure this ain't the only one in this context. Agreed - this sort of thing is scary. I know I can't avoid the risk entirely, but this is one of the reasons I try hard to limit my use of software to stuff in the repos. I understand it's no magic bullet against this type of thing, but in my (not very informed) judgment, it's less likely to happen to stuff that Debian is vetting. I.e., I'm hoping that all those hoops that Debian makes packages jump through, which prevent stuff I do want from entering the repos, will work here in my favor ;) > Note that I'm no specialist. Otherwise the top of my head would > be heavier ;-) > > Cheers > > [1] > https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_function_calls_to/ > [2] https://lwn.net/Articles/773121/ Celejar
