On Thu, Jun 22, 2017 at 1:31 PM, Michael Orlitzky <m...@gentoo.org> wrote: > On 06/22/2017 10:41 AM, R0b0t1 wrote: >> >> This is kind of troubling because much like Cabal it seems like the >> Rust package management system is insecure. Does the Firefox build >> process make use of it? >> > > It would be against our ebuild policy if it does so. The sources for a > package should be listed in SRC_URI and are downloaded and verified by > your Gentoo package manager. After that, network access is forbidden. >
You might be interested in this bug I submitted: https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of packages in dev-haskell my use of GHC and Cabal showed me it was impossible to prevent Cabal's maintenance scripts from running; those scripts download and execute unsigned code. This seems to imply to me that the entire language needs to be masked or removed from portage until security is added upstream. My personal take on both Rust and Haskell is I don't want to install either of them on my main system even just to experiment with them because they are so insecure. If someone can comment on the security of Rust specifically that would be helpful.
