On Sat, 7 Apr 2018 19:44:40 +0200 Clemens Lang <c...@macports.org>
> Remember that Portfiles can execute arbitrary code and root access
> is available from Portfiles. We do not want to run arbitrary code
> in a PR on the same build machines we use to build packages that we
> will distribute to our users. A malicous attacker could modify the
> machines in a way that packages built after that will be
> miscompiled.

Just a side note: other package building systems have dealt (in
various ways) with being able to build things without privileges.

For example, the Debian project has a cool tool called "fakeroot"
which uses an LD_PRELOADed library to make things being built _think_
they have root privileges when they don't -- actions like chmods and
chowns are recorded by the libraries and subsequent "fakerooted" calls
that read permissions or ownership or what have you replay what was
set earlier.

This allows the construction of installation packages that have
arbitrary users and permissions set in them without root having been
involved in builds.

See: https://manpages.debian.org/stretch/fakeroot-ng/fakeroot.1.en.html

I believe that "fakeroot" (or at least forks of it) have already been
ported to MacOS for use by other projects.

I would not suggest that the practice of building packages in isolated
VMs be changed, as that provides a lot of nice isolation and
security, but it might be nice to steal a tool like "fakeroot" to
allow for more flexibility.

Perry E. Metzger                pe...@piermont.com

Reply via email to