On Thu, 22 Jun 2017 15:57:34 -0500 R0b0t1 <r03...@gmail.com> wrote: > You might be interested in this bug I submitted: > https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of > packages in dev-haskell my use of GHC and Cabal showed me it was > impossible to prevent Cabal's maintenance scripts from running; those > scripts download and execute unsigned code. This seems to imply to me > that the entire language needs to be masked or removed from portage > until security is added upstream.
It seems to me you are conflating a few unrelated things into a single statement. Let's split them one by one: 1. "it was impossible to prevent Cabal's maintenance scripts from running" Please provide a few example packages from dev-haskell/*::gentoo and example script file that you want to prevent from running and why. I don't quite understand if you are talking about "Setup.hs" code or something else. 2. "those scripts download and execute unsigned code" Please provide a few examples from dev-haskell/*::gentoo that do that as part of package build or installation process. So I would understand why you see this problem as language- or ecosystem-specific and not package specific. 3. "This seems to imply to me that the entire language needs to be masked or removed from portage until security is added upstream." I fail to see the connection of the language to the online package repository. It seems you are implying you already have a mechanism to defend against arbitrary code executed by ./configure or 'make' and those (shell and GNU make) languages are fine. What is the difference? -- Sergei
pgpBdGWbElGit.pgp
Description: Цифровая подпись OpenPGP