[Slackware security] Potential backdoor risk in Rust
by resolver from LinuxQuestions.org on (#56NK4)
In order to compile Rust on a system that doesn't have it, the rust build script x.py insists on downloading binaries. You are expected to be OK with that. But no one is telling users it's happening so that they could make an informed decision.
Blindly downloading untrusted binaries in order to get something you urgently want is the exact type of thinking that has led to multitudes of people's computers getting Trojans installed on them.
The classic example is the "ignorant" Windows user, who sees a webpage saying "Update your flash player to view this lurid page!" so they do, and bingo, they got infected with Back Orifice or something worse. In a moment of rash emotional thinking, everything was lost.
If a distro maintainer doesn't reject software based on principles of good computer security, and blindly downloading binaries is terrible security, then we should all think twice about using that distro.
Taking an obvious risk because you think the payoff justifies it is one thing is if it just your personal computer that could get infected.
But a distro maintainer has a solemn responsibility to not put users at risk. That means not cutting corners with computer security.
If rust is downloading binaries, and it clearly is, that's unacceptable and if some other safer means of building the executables in question cannot be found then rust has to be rejected, even if it is (inexplicably) necessary to build Firefox.
Also rust on Slackware is broken as-is anyway. If you try to compile Firefox it will tell you that it has to download yet more binaries such as the standard library.
Blindly downloading untrusted binaries in order to get something you urgently want is the exact type of thinking that has led to multitudes of people's computers getting Trojans installed on them.
The classic example is the "ignorant" Windows user, who sees a webpage saying "Update your flash player to view this lurid page!" so they do, and bingo, they got infected with Back Orifice or something worse. In a moment of rash emotional thinking, everything was lost.
If a distro maintainer doesn't reject software based on principles of good computer security, and blindly downloading binaries is terrible security, then we should all think twice about using that distro.
Taking an obvious risk because you think the payoff justifies it is one thing is if it just your personal computer that could get infected.
But a distro maintainer has a solemn responsibility to not put users at risk. That means not cutting corners with computer security.
If rust is downloading binaries, and it clearly is, that's unacceptable and if some other safer means of building the executables in question cannot be found then rust has to be rejected, even if it is (inexplicably) necessary to build Firefox.
Also rust on Slackware is broken as-is anyway. If you try to compile Firefox it will tell you that it has to download yet more binaries such as the standard library.