> How can the Debian project rest assured that that the binary indeed
> is (only!) unpacking itself when executed?
> Also, that it is the case for _every_ new upstream release, not only
> once when you cared to investigate closely.
Although that is a serious issue, *exactly* the same issue is present
for *all* upstream sources, not just waf files. How do we know that
some new configure.ac is safe to run autoreconf;./configure on? How
do we know that some new C sources are safe? How do we know that a
TIF file does not contain executable instructions which are cleverly
jumped into by a carefully crafted deliberate typo? As far as I can
tell, waf files used in the build process are a bit painful to examine
and audit, but then so are .m4 autoconf macros.
So the true answer is that we do our best, but (at least, without
formal methods) we cannot "rest assured" without manual checking,
running inside sandboxes, syscall tracing, etc. And even then, our
slumber should be somewhat uneasy.
In this regard, waf files are no different from any other scripts
executed at build time.
Barak A. Pearlmutter
Hamilton Institute & Dept Comp Sci, NUI Maynooth, Co. Kildare, Ireland