1 |
On Thu, Jun 22, 2017 at 1:31 PM, Michael Orlitzky <mjo@g.o> wrote: |
2 |
> On 06/22/2017 10:41 AM, R0b0t1 wrote: |
3 |
>> |
4 |
>> This is kind of troubling because much like Cabal it seems like the |
5 |
>> Rust package management system is insecure. Does the Firefox build |
6 |
>> process make use of it? |
7 |
>> |
8 |
> |
9 |
> It would be against our ebuild policy if it does so. The sources for a |
10 |
> package should be listed in SRC_URI and are downloaded and verified by |
11 |
> your Gentoo package manager. After that, network access is forbidden. |
12 |
> |
13 |
|
14 |
You might be interested in this bug I submitted: |
15 |
https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of |
16 |
packages in dev-haskell my use of GHC and Cabal showed me it was |
17 |
impossible to prevent Cabal's maintenance scripts from running; those |
18 |
scripts download and execute unsigned code. This seems to imply to me |
19 |
that the entire language needs to be masked or removed from portage |
20 |
until security is added upstream. |
21 |
|
22 |
My personal take on both Rust and Haskell is I don't want to install |
23 |
either of them on my main system even just to experiment with them |
24 |
because they are so insecure. If someone can comment on the security |
25 |
of Rust specifically that would be helpful. |