RFC: In guix compile the GUI sequentially from everything else? #29914

issue maflcko openend this issue on April 19, 2024
  1. maflcko commented at 3:07 pm on April 19, 2024: member

    Compiling the GUI pulls in quite a few dependencies, which could theoretically include backdoors that are leaked into bitcoind (or other non-GUI utils) as well.

    A possible mitigation would be to compile the GUI in a separate guix container from the rest of the binaries. The downside would be that the node library, and the depends dependencies of the node library would have to be compiled twice, but the overhead may be worth it?

    (I won’t be working on this, but I wanted to keep track of this in a brainstorming issue, as the topic has repeatedly come up)

  2. maflcko added the label Brainstorming on Apr 19, 2024
  3. maflcko added the label Build system on Apr 19, 2024
  4. laanwj commented at 4:33 pm on April 22, 2024: member
    FWIW in #29923 i’ve removed all the GUI specific build-time dependencies except for Qt itself.
  5. maflcko commented at 5:47 am on April 23, 2024: member

    FWIW in #29923 i’ve removed all the GUI specific build-time dependencies except for Qt itself.

    Nice!

    qt is still a massive blob (and possibly a large attack surface for backdoors), so I guess sequential builds could still be considered, but the priority would be less urgent after 29923.

  6. laanwj commented at 7:27 am on April 23, 2024: member
    Sure, and there may still be other reasons to have seperate build step; the idea of fully static binaries for the non-GUI utilities was raised again at CoreDev. This is not possible with the GUI as it necessarily needs access to the dynamic linker. And as this might require different compile and linker flags, this would also effectively need two seperate builds.
  7. fanquake commented at 11:00 am on April 24, 2024: member

    fully static binaries

    Yea. I think I’m just going to start PR’ing related changes, so we can move forward with static builds separately from the GUI, and keep all it’s deps / build tools out of the env.


github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-21 09:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me