[RFT] Sandboxing package builds
Paul Spooren
mail at aparcar.org
Sat Apr 4 09:26:14 PDT 2026
Hi all,
Our buildbots build some 6k packages every 24h and if one of those contains malicious scripts during compile time, all packages could be affected. This isn’t a motivation for shenanigans but my request for you to test this sandboxing patch. It’s meant to work on both Linux via `bubblewrap` aka `bwrap` and macOS via `sandbox-exec`. It likely breaks packages left and right (without tweaking some permissions) but it avoids a huge attack vector of our binary package distribution.
https://github.com/openwrt/openwrt/pull/22353
Please test, complain and suggest improvements.
Thanks,
Paul
More information about the openwrt-devel
mailing list