← Back to context

Comment by woodruffw

2 days ago

Yeah, I think forbidding network access within build systems is would be a great default to employ.

(I wouldn’t be surprised to learn that a large number of packages in Python do in fact have legitimate network build-time dependencies. But it would be great to actually be able to quantify this so the situation could be improved.)

3 comments

woodruffw

Reply
TZubiri  2 days ago

Is it really legitimate to have build time network deps? It just means the full source wasn't published and there's some hidden source being downloaded

  • woodruffw  2 days ago

    I don’t know, I don’t have a value position on it. I just think it does happen as a matter of course.

    (Legitimate seems like a gray area to me — it’s common for applications to have a downloadable installer that then bootstraps the actual program, for example. Is this good or bad? I don’t know!)

    • TZubiri  2 days ago

      I just thought I'd break down the positions from the most obviuous to the least.

      1- The rules and customs regarding how applications and libraries are installed CAN be different.

      2- These customs MUST be different.

      3- Libraries should not download code or binaries over the network in contexts where it is expected they be built from source.

      4- Applications should have the least amount of network pointers to binaries as possible, it reduces the amount of oversight app stores or antiviruses can have.

      I'm not saying it's a malicious pattern, but it doesn't help with distinguishing a malicious from a legitimate pattern. And I think legitimate actors generally want to jump hoops that complicate malicious actors more than legitimate ones.

      I don't know about you, but if I'm installing a pip, npm or maven dependency, I expect it to be open source, and if the repo being pulled from is just a pointer to a URL that downloads the actual code, I would feel kind of scammed, I'd probably just report it to Pypi or npm, and would expect them to take it down. And especially if the package can change without changing the actual repo, it would fail an audit from me, it would mean a supply chain vuln wouldn't leave an artifact, it would also mean the build isn't deterministic at all.