Document security guarantees & threat model in the README #14895
Labels
P2
We'll consider working on this in future. (Assignee optional)
team-Documentation
Documentation improvements that cannot be directly linked to other team labels
team-OSS
Issues for the Bazel OSS team: installation, release processBazel packaging, website
type: process
We've received this feedback: "It would be very helpful if you could outline a scope or threat model in the Security section of the README since it is not obvious what the security guarantees are that Bazel offers." and questions around what constitutes a security issue in Bazel and what not occasionally come up.
As an example, Bazel, just like any other build system, of course runs a lot of code from various sources as part of its normal operation. The fact that someone can write a potentially malicious
genrule
that will be executed as part of a build is probably "working as intended" (just like a compiler or integration test could do harmful stuff). Bazel's sandbox is (currently) not meant to be a security boundary.On the other hand, a hypothetical bug like "Bazel ignores the SHA256 of a downloaded http_archive" would be pretty bad.
We should document this for the benefit of our users and security researchers and to avoid potential misunderstanding about perceived security issues.
The text was updated successfully, but these errors were encountered: