1 |
On Sun, 25 Jun 2017 23:38:44 -0500 |
2 |
R0b0t1 <r030t1@×××××.com> wrote: |
3 |
|
4 |
> On Sun, Jun 25, 2017 at 7:13 AM, Sergei Trofimovich <slyfox@g.o> wrote: |
5 |
> > On Thu, 22 Jun 2017 15:57:34 -0500 |
6 |
> > R0b0t1 <r030t1@×××××.com> wrote: |
7 |
> > |
8 |
> >> You might be interested in this bug I submitted: |
9 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of |
10 |
> >> packages in dev-haskell my use of GHC and Cabal showed me it was |
11 |
> >> impossible to prevent Cabal's maintenance scripts from running; those |
12 |
> >> scripts download and execute unsigned code. This seems to imply to me |
13 |
> >> that the entire language needs to be masked or removed from portage |
14 |
> >> until security is added upstream. |
15 |
> > |
16 |
> > It seems to me you are conflating a few unrelated |
17 |
> > things into a single statement. Let's split them one by one: |
18 |
> > |
19 |
> > 1. "it was impossible to prevent Cabal's maintenance scripts from running" |
20 |
> > |
21 |
> > Please provide a few example packages from dev-haskell/*::gentoo |
22 |
> > and example script file that you want to prevent from running and why. |
23 |
> > |
24 |
> > I don't quite understand if you are talking about "Setup.hs" code or |
25 |
> > something else. |
26 |
> > |
27 |
> |
28 |
> I mean that, to my knowledge, installing GHC and Cabal via Portage |
29 |
> will still result in Cabal fetching something - I assume packages or |
30 |
> an update of some kind - on its own. I need to try again using the |
31 |
> option Michael mentioned. Unless something was updated fairly recently |
32 |
> I honestly expect it to fail. |
33 |
|
34 |
It never was the case. |
35 |
|
36 |
> > 2. "those scripts download and execute unsigned code" |
37 |
> > |
38 |
> > Please provide a few examples from dev-haskell/*::gentoo that do that |
39 |
> > as part of package build or installation process. So I would understand |
40 |
> > why you see this problem as language- or ecosystem-specific and not |
41 |
> > package specific. |
42 |
> > |
43 |
> |
44 |
> I might later, but if you look at the bug you will see one of the |
45 |
> developers agree with me. I'm pretty sure it is the code in Setup.hs. |
46 |
> My memory tells me the dev-haskell packages are "safe" but my usage of |
47 |
> Haskell on Gentoo in the past led to Cabal somehow being run despite |
48 |
> how many things I manually selected in Portage to avoid running Cabal. |
49 |
|
50 |
Code in Setup.hs downloading stuff from internet is not much more frequent |
51 |
than on autotools packages. Of all the 1500 packages in ::haskell overlay |
52 |
I can remember maybe 3 of them. I have FEATURES=network-sandbox enabled. |
53 |
|
54 |
> > 3. "This seems to imply to me that the entire language needs to be masked |
55 |
> > or removed from portage until security is added upstream." |
56 |
> > |
57 |
> > I fail to see the connection of the language to the online package repository. |
58 |
> > |
59 |
> > It seems you are implying you already have a mechanism to defend against |
60 |
> > arbitrary code executed by ./configure or 'make' and those (shell and GNU make) |
61 |
> > languages are fine. What is the difference? |
62 |
> > |
63 |
> |
64 |
> New programming languages tend to be very closely entwined with their |
65 |
> own package manager. Haskell is no different. Unless things have |
66 |
> changed it's nearly impossible to use Haskell without Cabal. The last |
67 |
> time I experimented with it on Linux (slightly less than a year ago?) |
68 |
> Cabal would somehow be run by trying to install packages when I did |
69 |
> not explicitly invoke it. |
70 |
|
71 |
Sound scary. What precisely did you do? |
72 |
|
73 |
> Autotools isn't a package manager. Autotools is run after you have |
74 |
> downloaded and verified the source code. Autotools scripts could fetch |
75 |
> things themselves, but they usually don't and I don't know of a single |
76 |
> project that employs them in that way. If they did and the downloads |
77 |
> were not verified I would have a similar complaint as this one. |
78 |
> |
79 |
> The part that confused me the most was that I needed Cabal to be |
80 |
> installed even if I just wanted to get the Haskell platform to get |
81 |
> along with the dev-haskell packages installed through portage. |
82 |
|
83 |
I think you are mixing up two things: |
84 |
build system (Cabal library) and package manger (cabal tool): |
85 |
|
86 |
dev-haskell/cabal |
87 |
Description: A framework for packaging Haskell software |
88 |
|
89 |
dev-haskell/cabal-install |
90 |
Description: The command-line interface for Cabal and Hackage |
91 |
|
92 |
Build system (aka Cabal) is used in every haskell package. It has no |
93 |
special support to download packages from internet. It is not a package |
94 |
manager. |
95 |
|
96 |
It's typical usage is: |
97 |
- you download the package from internet yourself |
98 |
- verify it however you want |
99 |
- run 'runhaskell Setup.hs configure' |
100 |
- run 'runhaskell Setup.hs build' |
101 |
- run 'runhaskell Setup.hs install' |
102 |
|
103 |
This process only verifies existing dependencies and builds needed |
104 |
files locally. Unless you yourself put the arbitrary code in Setup.hs. |
105 |
|
106 |
Package manager (aka cabal tool) talks to the internet. |
107 |
It's precise function is: download package index from hackage server, |
108 |
fetch all the dependencies from hackage server and use Cabal library |
109 |
to build a haskell package. |
110 |
|
111 |
You can configure it not to use hackage sevrer and use a local mirror |
112 |
on your filesystem if you want. |
113 |
|
114 |
Gentoo haskell packages happen not to use 'cabal tool' at all |
115 |
at package's build process. |
116 |
|
117 |
-- |
118 |
|
119 |
Sergei |