Author: Emma Smith
Created at: 2025-11-17 22:30
Number: 39
Clean content: Chris Angelico: The biggest protection is having multiple compilers. Do you want to make sure your gcc hasn’t been infected? Download the source code for gcc, and compile it using clang. This could also be affected, but only if someone has infected BOTH compilers. The more diffferent options there are, the less of a threat this is. Given that clang had to be bootstrapped by gcc, I think it is impossible to say that this will work for sure. Steve Dower: I’ll briefly put my security team hat on and say that the security side of this is being way overblown. The risk of a supply-chain attack via the compiler is miniscule compared to the multitude of other options - adding Rust doesn’t make that part worse. Thanks Steve! I appreciate you piping up on this. Steve Dower: I’d rather see people discussing things like how Rust provides any protection/benefit at all when we have to interop everything with “unsafe” C code at a level below anywhere PyO3 could help I have a couple of thoughts on this, and hope @davidhewitt has more since he has thought about this problem probably a lot more than I have First, we can build safe abstractions over unsafe operations which will reduce the amount of unsafe users need to interact with. Furthermore, I expect to start with, a safe core for extension modules can be implemented then exposed to CPython through unsafe FFI procedures. This is an approach that has seen wide success throughout other projects. One of Rust’s strengths is that it allows you to focus on where unsafety occurs. Finally, if more of the interpreter were to become Rust, these portions would presumably have safe Rust interfaces.
