On Sun, 25 Jun 2017 23:38:44 -0500 R0b0t1 <r03...@gmail.com> wrote: > On Sun, Jun 25, 2017 at 7:13 AM, Sergei Trofimovich <sly...@gentoo.org> wrote: > > On Thu, 22 Jun 2017 15:57:34 -0500 > > R0b0t1 <r03...@gmail.com> wrote: > > > >> You might be interested in this bug I submitted: > >> https://bugs.gentoo.org/show_bug.cgi?id=537162. While there's a lot of > >> packages in dev-haskell my use of GHC and Cabal showed me it was > >> impossible to prevent Cabal's maintenance scripts from running; those > >> scripts download and execute unsigned code. This seems to imply to me > >> that the entire language needs to be masked or removed from portage > >> until security is added upstream. > > > > It seems to me you are conflating a few unrelated > > things into a single statement. Let's split them one by one: > > > > 1. "it was impossible to prevent Cabal's maintenance scripts from running" > > > > Please provide a few example packages from dev-haskell/*::gentoo > > and example script file that you want to prevent from running and why. > > > > I don't quite understand if you are talking about "Setup.hs" code or > > something else. > > > > I mean that, to my knowledge, installing GHC and Cabal via Portage > will still result in Cabal fetching something - I assume packages or > an update of some kind - on its own. I need to try again using the > option Michael mentioned. Unless something was updated fairly recently > I honestly expect it to fail.
It never was the case. > > 2. "those scripts download and execute unsigned code" > > > > Please provide a few examples from dev-haskell/*::gentoo that do that > > as part of package build or installation process. So I would understand > > why you see this problem as language- or ecosystem-specific and not > > package specific. > > > > I might later, but if you look at the bug you will see one of the > developers agree with me. I'm pretty sure it is the code in Setup.hs. > My memory tells me the dev-haskell packages are "safe" but my usage of > Haskell on Gentoo in the past led to Cabal somehow being run despite > how many things I manually selected in Portage to avoid running Cabal. Code in Setup.hs downloading stuff from internet is not much more frequent than on autotools packages. Of all the 1500 packages in ::haskell overlay I can remember maybe 3 of them. I have FEATURES=network-sandbox enabled. > > 3. "This seems to imply to me that the entire language needs to be masked > > or removed from portage until security is added upstream." > > > > I fail to see the connection of the language to the online package > > repository. > > > > It seems you are implying you already have a mechanism to defend against > > arbitrary code executed by ./configure or 'make' and those (shell and > > GNU make) > > languages are fine. What is the difference? > > > > New programming languages tend to be very closely entwined with their > own package manager. Haskell is no different. Unless things have > changed it's nearly impossible to use Haskell without Cabal. The last > time I experimented with it on Linux (slightly less than a year ago?) > Cabal would somehow be run by trying to install packages when I did > not explicitly invoke it. Sound scary. What precisely did you do? > Autotools isn't a package manager. Autotools is run after you have > downloaded and verified the source code. Autotools scripts could fetch > things themselves, but they usually don't and I don't know of a single > project that employs them in that way. If they did and the downloads > were not verified I would have a similar complaint as this one. > > The part that confused me the most was that I needed Cabal to be > installed even if I just wanted to get the Haskell platform to get > along with the dev-haskell packages installed through portage. I think you are mixing up two things: build system (Cabal library) and package manger (cabal tool): dev-haskell/cabal Description: A framework for packaging Haskell software dev-haskell/cabal-install Description: The command-line interface for Cabal and Hackage Build system (aka Cabal) is used in every haskell package. It has no special support to download packages from internet. It is not a package manager. It's typical usage is: - you download the package from internet yourself - verify it however you want - run 'runhaskell Setup.hs configure' - run 'runhaskell Setup.hs build' - run 'runhaskell Setup.hs install' This process only verifies existing dependencies and builds needed files locally. Unless you yourself put the arbitrary code in Setup.hs. Package manager (aka cabal tool) talks to the internet. It's precise function is: download package index from hackage server, fetch all the dependencies from hackage server and use Cabal library to build a haskell package. You can configure it not to use hackage sevrer and use a local mirror on your filesystem if you want. Gentoo haskell packages happen not to use 'cabal tool' at all at package's build process. -- Sergei
pgpHk2tNDIPWJ.pgp
Description: Цифровая подпись OpenPGP
