1 |
On Thu, 22 Jun 2017 15:57:34 -0500 |
2 |
R0b0t1 <r030t1@×××××.com> wrote: |
3 |
|
4 |
> You might be interested in this bug I submitted: |
5 |
> https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of |
6 |
> packages in dev-haskell my use of GHC and Cabal showed me it was |
7 |
> impossible to prevent Cabal's maintenance scripts from running; those |
8 |
> scripts download and execute unsigned code. This seems to imply to me |
9 |
> that the entire language needs to be masked or removed from portage |
10 |
> until security is added upstream. |
11 |
|
12 |
It seems to me you are conflating a few unrelated |
13 |
things into a single statement. Let's split them one by one: |
14 |
|
15 |
1. "it was impossible to prevent Cabal's maintenance scripts from running" |
16 |
|
17 |
Please provide a few example packages from dev-haskell/*::gentoo |
18 |
and example script file that you want to prevent from running and why. |
19 |
|
20 |
I don't quite understand if you are talking about "Setup.hs" code or |
21 |
something else. |
22 |
|
23 |
2. "those scripts download and execute unsigned code" |
24 |
|
25 |
Please provide a few examples from dev-haskell/*::gentoo that do that |
26 |
as part of package build or installation process. So I would understand |
27 |
why you see this problem as language- or ecosystem-specific and not |
28 |
package specific. |
29 |
|
30 |
3. "This seems to imply to me that the entire language needs to be masked |
31 |
or removed from portage until security is added upstream." |
32 |
|
33 |
I fail to see the connection of the language to the online package repository. |
34 |
|
35 |
It seems you are implying you already have a mechanism to defend against |
36 |
arbitrary code executed by ./configure or 'make' and those (shell and GNU make) |
37 |
languages are fine. What is the difference? |
38 |
|
39 |
-- |
40 |
|
41 |
Sergei |