| 1 |
On Thu, Jun 22, 2017 at 1:31 PM, Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
> On 06/22/2017 10:41 AM, R0b0t1 wrote: |
| 3 |
>> |
| 4 |
>> This is kind of troubling because much like Cabal it seems like the |
| 5 |
>> Rust package management system is insecure. Does the Firefox build |
| 6 |
>> process make use of it? |
| 7 |
>> |
| 8 |
> |
| 9 |
> It would be against our ebuild policy if it does so. The sources for a |
| 10 |
> package should be listed in SRC_URI and are downloaded and verified by |
| 11 |
> your Gentoo package manager. After that, network access is forbidden. |
| 12 |
> |
| 13 |
|
| 14 |
You might be interested in this bug I submitted: |
| 15 |
https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of |
| 16 |
packages in dev-haskell my use of GHC and Cabal showed me it was |
| 17 |
impossible to prevent Cabal's maintenance scripts from running; those |
| 18 |
scripts download and execute unsigned code. This seems to imply to me |
| 19 |
that the entire language needs to be masked or removed from portage |
| 20 |
until security is added upstream. |
| 21 |
|
| 22 |
My personal take on both Rust and Haskell is I don't want to install |
| 23 |
either of them on my main system even just to experiment with them |
| 24 |
because they are so insecure. If someone can comment on the security |
| 25 |
of Rust specifically that would be helpful. |
Archives