| 1 |
On Thu, 22 Jun 2017 15:57:34 -0500 |
| 2 |
R0b0t1 <r030t1@×××××.com> wrote: |
| 3 |
|
| 4 |
> You might be interested in this bug I submitted: |
| 5 |
> https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of |
| 6 |
> packages in dev-haskell my use of GHC and Cabal showed me it was |
| 7 |
> impossible to prevent Cabal's maintenance scripts from running; those |
| 8 |
> scripts download and execute unsigned code. This seems to imply to me |
| 9 |
> that the entire language needs to be masked or removed from portage |
| 10 |
> until security is added upstream. |
| 11 |
|
| 12 |
It seems to me you are conflating a few unrelated |
| 13 |
things into a single statement. Let's split them one by one: |
| 14 |
|
| 15 |
1. "it was impossible to prevent Cabal's maintenance scripts from running" |
| 16 |
|
| 17 |
Please provide a few example packages from dev-haskell/*::gentoo |
| 18 |
and example script file that you want to prevent from running and why. |
| 19 |
|
| 20 |
I don't quite understand if you are talking about "Setup.hs" code or |
| 21 |
something else. |
| 22 |
|
| 23 |
2. "those scripts download and execute unsigned code" |
| 24 |
|
| 25 |
Please provide a few examples from dev-haskell/*::gentoo that do that |
| 26 |
as part of package build or installation process. So I would understand |
| 27 |
why you see this problem as language- or ecosystem-specific and not |
| 28 |
package specific. |
| 29 |
|
| 30 |
3. "This seems to imply to me that the entire language needs to be masked |
| 31 |
or removed from portage until security is added upstream." |
| 32 |
|
| 33 |
I fail to see the connection of the language to the online package repository. |
| 34 |
|
| 35 |
It seems you are implying you already have a mechanism to defend against |
| 36 |
arbitrary code executed by ./configure or 'make' and those (shell and GNU make) |
| 37 |
languages are fine. What is the difference? |
| 38 |
|
| 39 |
-- |
| 40 |
|
| 41 |
Sergei |
Archives