On Thu, 22 Jun 2017 15:57:34 -0500 R0b0t1 <r03...@gmail.com> wrote: > You might be interested in this bug I submitted: > https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of > packages in dev-haskell my use of GHC and Cabal showed me it was > impossible to prevent Cabal's maintenance scripts from running; those > scripts download and execute unsigned code. This seems to imply to me > that the entire language needs to be masked or removed from portage > until security is added upstream.
It seems to me you are conflating a few unrelated
things into a single statement. Let's split them one by one:
1. "it was impossible to prevent Cabal's maintenance scripts from running"
Please provide a few example packages from dev-haskell/*::gentoo
and example script file that you want to prevent from running and why.
I don't quite understand if you are talking about "Setup.hs" code or
something else.
2. "those scripts download and execute unsigned code"
Please provide a few examples from dev-haskell/*::gentoo that do that
as part of package build or installation process. So I would understand
why you see this problem as language- or ecosystem-specific and not
package specific.
3. "This seems to imply to me that the entire language needs to be masked
or removed from portage until security is added upstream."
I fail to see the connection of the language to the online package
repository.
It seems you are implying you already have a mechanism to defend against
arbitrary code executed by ./configure or 'make' and those (shell and GNU
make)
languages are fine. What is the difference?
--
Sergei
pgpBdGWbElGit.pgp
Description: Цифровая подпись OpenPGP
