CMake, which is kind of the universal standard build system for C++ now, has “fetch content” since v3.11. Put the URL of a repository (which can be remote, but also local, which is handy) and optionally the branch / commit ID that you’d like, and it will pull it into your build directory automatically. So yeah, you can pull anything nefarious that you’d like. I don’t think most people would question pulling and building a library from Github as part of the build, especially if it had a sensible name for the task at hand.
This is absolutely not just specific to Go.
The problem isn’t specific to anything. It’s also not specific to malware. Vulnerabilities are just as dangerous, if not more so.
Cargo also has a
--gitoption but I suppose it’s not default behaviorSure! My point is that hosting doesn’t really matter, though. Malware and vulnerabilities are introduced at all points of supply chains.
I agree, I was just giving another example to raise awareness about that feature of rust.
That’s a pretty unique feature to Go I think. Maybe clang has something similar I guess?
Not that an attack like this is unique or anything.
CMake, which is kind of the universal standard build system for C++ now, has “fetch content” since v3.11. Put the URL of a repository (which can be remote, but also local, which is handy) and optionally the branch / commit ID that you’d like, and it will pull it into your build directory automatically. So yeah, you can pull anything nefarious that you’d like. I don’t think most people would question pulling and building a library from Github as part of the build, especially if it had a sensible name for the task at hand.