| 1 |
On Sun, 25 Jun 2017 23:38:44 -0500 |
| 2 |
R0b0t1 <r030t1@×××××.com> wrote: |
| 3 |
|
| 4 |
> On Sun, Jun 25, 2017 at 7:13 AM, Sergei Trofimovich <slyfox@g.o> wrote: |
| 5 |
> > On Thu, 22 Jun 2017 15:57:34 -0500 |
| 6 |
> > R0b0t1 <r030t1@×××××.com> wrote: |
| 7 |
> > |
| 8 |
> >> You might be interested in this bug I submitted: |
| 9 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of |
| 10 |
> >> packages in dev-haskell my use of GHC and Cabal showed me it was |
| 11 |
> >> impossible to prevent Cabal's maintenance scripts from running; those |
| 12 |
> >> scripts download and execute unsigned code. This seems to imply to me |
| 13 |
> >> that the entire language needs to be masked or removed from portage |
| 14 |
> >> until security is added upstream. |
| 15 |
> > |
| 16 |
> > It seems to me you are conflating a few unrelated |
| 17 |
> > things into a single statement. Let's split them one by one: |
| 18 |
> > |
| 19 |
> > 1. "it was impossible to prevent Cabal's maintenance scripts from running" |
| 20 |
> > |
| 21 |
> > Please provide a few example packages from dev-haskell/*::gentoo |
| 22 |
> > and example script file that you want to prevent from running and why. |
| 23 |
> > |
| 24 |
> > I don't quite understand if you are talking about "Setup.hs" code or |
| 25 |
> > something else. |
| 26 |
> > |
| 27 |
> |
| 28 |
> I mean that, to my knowledge, installing GHC and Cabal via Portage |
| 29 |
> will still result in Cabal fetching something - I assume packages or |
| 30 |
> an update of some kind - on its own. I need to try again using the |
| 31 |
> option Michael mentioned. Unless something was updated fairly recently |
| 32 |
> I honestly expect it to fail. |
| 33 |
|
| 34 |
It never was the case. |
| 35 |
|
| 36 |
> > 2. "those scripts download and execute unsigned code" |
| 37 |
> > |
| 38 |
> > Please provide a few examples from dev-haskell/*::gentoo that do that |
| 39 |
> > as part of package build or installation process. So I would understand |
| 40 |
> > why you see this problem as language- or ecosystem-specific and not |
| 41 |
> > package specific. |
| 42 |
> > |
| 43 |
> |
| 44 |
> I might later, but if you look at the bug you will see one of the |
| 45 |
> developers agree with me. I'm pretty sure it is the code in Setup.hs. |
| 46 |
> My memory tells me the dev-haskell packages are "safe" but my usage of |
| 47 |
> Haskell on Gentoo in the past led to Cabal somehow being run despite |
| 48 |
> how many things I manually selected in Portage to avoid running Cabal. |
| 49 |
|
| 50 |
Code in Setup.hs downloading stuff from internet is not much more frequent |
| 51 |
than on autotools packages. Of all the 1500 packages in ::haskell overlay |
| 52 |
I can remember maybe 3 of them. I have FEATURES=network-sandbox enabled. |
| 53 |
|
| 54 |
> > 3. "This seems to imply to me that the entire language needs to be masked |
| 55 |
> > or removed from portage until security is added upstream." |
| 56 |
> > |
| 57 |
> > I fail to see the connection of the language to the online package repository. |
| 58 |
> > |
| 59 |
> > It seems you are implying you already have a mechanism to defend against |
| 60 |
> > arbitrary code executed by ./configure or 'make' and those (shell and GNU make) |
| 61 |
> > languages are fine. What is the difference? |
| 62 |
> > |
| 63 |
> |
| 64 |
> New programming languages tend to be very closely entwined with their |
| 65 |
> own package manager. Haskell is no different. Unless things have |
| 66 |
> changed it's nearly impossible to use Haskell without Cabal. The last |
| 67 |
> time I experimented with it on Linux (slightly less than a year ago?) |
| 68 |
> Cabal would somehow be run by trying to install packages when I did |
| 69 |
> not explicitly invoke it. |
| 70 |
|
| 71 |
Sound scary. What precisely did you do? |
| 72 |
|
| 73 |
> Autotools isn't a package manager. Autotools is run after you have |
| 74 |
> downloaded and verified the source code. Autotools scripts could fetch |
| 75 |
> things themselves, but they usually don't and I don't know of a single |
| 76 |
> project that employs them in that way. If they did and the downloads |
| 77 |
> were not verified I would have a similar complaint as this one. |
| 78 |
> |
| 79 |
> The part that confused me the most was that I needed Cabal to be |
| 80 |
> installed even if I just wanted to get the Haskell platform to get |
| 81 |
> along with the dev-haskell packages installed through portage. |
| 82 |
|
| 83 |
I think you are mixing up two things: |
| 84 |
build system (Cabal library) and package manger (cabal tool): |
| 85 |
|
| 86 |
dev-haskell/cabal |
| 87 |
Description: A framework for packaging Haskell software |
| 88 |
|
| 89 |
dev-haskell/cabal-install |
| 90 |
Description: The command-line interface for Cabal and Hackage |
| 91 |
|
| 92 |
Build system (aka Cabal) is used in every haskell package. It has no |
| 93 |
special support to download packages from internet. It is not a package |
| 94 |
manager. |
| 95 |
|
| 96 |
It's typical usage is: |
| 97 |
- you download the package from internet yourself |
| 98 |
- verify it however you want |
| 99 |
- run 'runhaskell Setup.hs configure' |
| 100 |
- run 'runhaskell Setup.hs build' |
| 101 |
- run 'runhaskell Setup.hs install' |
| 102 |
|
| 103 |
This process only verifies existing dependencies and builds needed |
| 104 |
files locally. Unless you yourself put the arbitrary code in Setup.hs. |
| 105 |
|
| 106 |
Package manager (aka cabal tool) talks to the internet. |
| 107 |
It's precise function is: download package index from hackage server, |
| 108 |
fetch all the dependencies from hackage server and use Cabal library |
| 109 |
to build a haskell package. |
| 110 |
|
| 111 |
You can configure it not to use hackage sevrer and use a local mirror |
| 112 |
on your filesystem if you want. |
| 113 |
|
| 114 |
Gentoo haskell packages happen not to use 'cabal tool' at all |
| 115 |
at package's build process. |
| 116 |
|
| 117 |
-- |
| 118 |
|
| 119 |
Sergei |
Archives