On Thu, 22 Jun 2017 15:57:34 -0500
R0b0t1 <r03...@gmail.com> wrote:

> You might be interested in this bug I submitted:
> https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of
> packages in dev-haskell my use of GHC and Cabal showed me it was
> impossible to prevent Cabal's maintenance scripts from running; those
> scripts download and execute unsigned code. This seems to imply to me
> that the entire language needs to be masked or removed from portage
> until security is added upstream.

It seems to me you are conflating a few unrelated
things into a single statement. Let's split them one by one:

1. "it was impossible to prevent Cabal's maintenance scripts from running"

   Please provide a few example packages from dev-haskell/*::gentoo
   and example script file that you want to prevent from running and why.

   I don't quite understand if you are talking about "Setup.hs" code or
   something else.

2. "those scripts download and execute unsigned code"

   Please provide a few examples from dev-haskell/*::gentoo that do that
   as part of package build or installation process. So I would understand
   why you see this problem as language- or ecosystem-specific and not
   package specific.

3.  "This seems to imply to me that the entire language needs to be masked
     or removed from portage until security is added upstream."

   I fail to see the connection of the language to the online package 
repository.

   It seems you are implying you already have a mechanism to defend against
   arbitrary code executed by ./configure or 'make' and those (shell and GNU 
make)
   languages are fine. What is the difference?

-- 

  Sergei

Attachment: pgpBdGWbElGit.pgp
Description: Цифровая подпись OpenPGP

Reply via email to