search

distcc / distcc

distributed builds for C, C++ and Objective C
GNU General Public License v2.0
2.06k stars 290 forks source link

-fplugin warning even with --enable-tcp-insecure #356

Open holzi91 opened 5 years ago

holzi91 commented 5 years ago

When trying to compile a kernel I always get a timeout error on the client and

Warning: -fplugin= and/or -specs= passed, which are insecure and not supported.

on the volunteer even though I passed --enable-tcp-insecure. Was this option not supposed to disable this error?

The client is running Arch Linux and the volunteer Solus where I compiled it from master.

shawnl commented 5 years ago

There is no way to support these without changing the protocol.

holzi91 commented 5 years ago

So the solution is don't do it at all?

shawnl commented 5 years ago

both plugins and specs would require sending the file to the server. Its better to either avoid use of these features, or compile locally.

TafThorne commented 5 years ago

I would have said that in a similar spirit to adding --enable-tcp-insecure to allow a user to do something that may not be safe if they are not in a secure environment we should consider allowing -fplugin= and/or -specs= if security is the only reason they are not supported.

Compiling any source code is inherently unsafe unless you inspect every line of code and understand every library referenced. Originally it was not expected that users would spawn cloud instances to compile on but would use a handful for machines on a LAN, possibly without internet access. In the old days, most people had the benefit of an air-gap. If people want to do something unsafe because it is convenient or they feel confident it is safe for them; I would argue we default to letting them do it.

By all means, add a bailout warning that needs them to say --enable-insecure-compiler-options for us to proceed. Possibly reference both a "this is why it is unsafe" and a "here is the override"...

Having said all of that. If there is a bunch of work needed to actually add support for the two options in question, that is a separate request issue.

graysky2 commented 4 years ago

Is this related to https://github.com/distcc/distcc/issues/358 at all? I am getting the same output in the volunteer log and the inability to distribute out jobs.

@holzi91 - Did you trigger these errors building with makepkg? I found that if I build from the shell not using makepkg the compilation is distributed out via distcc.