5 Jan
2007
5 Jan
'07
10:04 a.m.
Am Mittwoch, 3. Januar 2007 23:46 schrieb Neil Mitchell:
We need some security on uploads to hackage, because Cabal packages can run arbitrary code during the build process
I think this should be strongly discouraged by Cabal, almost to the point where Setup files with custom code are disallowed by Hackage. Doing an attack on an in-use module is a lot more work than putting it in the configure script. [...]
There are already quite a few open build systems for "normal" (RPM, etc.) packages out there, and the usual technology is to run everything in a chroot cage. Would this be an option here, too? I have to admit that I currently do not fully understand who will run which code when, etc. when we talk about hackage. Cheers, S.