At a high-level, the goal of this project is to perform cargo builds inside of a sandboxed environment which restricts, to some extent, the capabilities of any code that executes at build-time.
A rationale for why this is valuable can be found in my Rust 2019 blog post: Security, Maturity, Stability
tl;dr: build-time attacks are stealthier than trojans in build targets, and permit lateral movement between projects when attacking a build system. The threat of a build-time trojan, versus a source code trojan, is an attack that does not leave behind forensic evidence and is therefore harder to investigate. Attacking a build system also potentially permits lateral movement between build targets.
That said, both the threat model and high-level design of this tool are debatable, and this issue is a place to discuss these matters.
Additional background:
At a high-level, the goal of this project is to perform cargo builds inside of a sandboxed environment which restricts, to some extent, the capabilities of any code that executes at build-time.
A rationale for why this is valuable can be found in my Rust 2019 blog post: Security, Maturity, Stability
tl;dr: build-time attacks are stealthier than trojans in build targets, and permit lateral movement between projects when attacking a build system. The threat of a build-time trojan, versus a source code trojan, is an attack that does not leave behind forensic evidence and is therefore harder to investigate. Attacking a build system also potentially permits lateral movement between build targets.
That said, both the threat model and high-level design of this tool are debatable, and this issue is a place to discuss these matters.
Additional background: