From d9bba6bda1bb4d8b5111a42c9e33159071588d77 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 13 Apr 2016 12:39:57 -0400 Subject: move to todo, and close --- ...compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn | 3 --- .../comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment | 14 -------------- .../comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment | 7 ------- ...compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn | 5 +++++ .../comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment | 14 ++++++++++++++ .../comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment | 7 +++++++ 6 files changed, 26 insertions(+), 24 deletions(-) delete mode 100644 doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn delete mode 100644 doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment delete mode 100644 doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment create mode 100644 doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn create mode 100644 doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment create mode 100644 doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment diff --git a/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn b/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn deleted file mode 100644 index c40b29ef..00000000 --- a/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn +++ /dev/null @@ -1,3 +0,0 @@ -The recent dependency on concurrent-output adding implies downloading, compiling, and executing as root of many (MissingH, hslogger, process, unix-compat, network, directory, ansi-terminal, unix, ...) unstrusted sources. This seems like a huge security problem... - -Are these at least downloaded using https? diff --git a/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment b/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment deleted file mode 100644 index 39836219..00000000 --- a/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment +++ /dev/null @@ -1,14 +0,0 @@ -[[!comment format=mdwn - username="joey" - subject="""comment 1""" - date="2016-04-05T17:19:50Z" - content=""" -Yes, cabal is not secure from MITM. - -I've rethought adding that dependency so soon. I'll change back to bundling -concurrent-output in 3.0.1. - -I can force ghc to build the concurrent-output -module with -O2 as needed to get good memory use, and still let the rest of -propellor build with -O0, which was the main motivation for unbundling it. -"""]] diff --git a/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment b/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment deleted file mode 100644 index 5c17f1bb..00000000 --- a/doc/forum/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment +++ /dev/null @@ -1,7 +0,0 @@ -[[!comment format=mdwn - username="gueux" - subject="comment 2" - date="2016-04-05T18:41:31Z" - content=""" -great! thanks -"""]] diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn new file mode 100644 index 00000000..d8493b27 --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn @@ -0,0 +1,5 @@ +The recent dependency on concurrent-output adding implies downloading, compiling, and executing as root of many (MissingH, hslogger, process, unix-compat, network, directory, ansi-terminal, unix, ...) unstrusted sources. This seems like a huge security problem... + +Are these at least downloaded using https? + +> [[done]] --[[Joey]] diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment new file mode 100644 index 00000000..39836219 --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment @@ -0,0 +1,14 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2016-04-05T17:19:50Z" + content=""" +Yes, cabal is not secure from MITM. + +I've rethought adding that dependency so soon. I'll change back to bundling +concurrent-output in 3.0.1. + +I can force ghc to build the concurrent-output +module with -O2 as needed to get good memory use, and still let the rest of +propellor build with -O0, which was the main motivation for unbundling it. +"""]] diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment new file mode 100644 index 00000000..5c17f1bb --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment @@ -0,0 +1,7 @@ +[[!comment format=mdwn + username="gueux" + subject="comment 2" + date="2016-04-05T18:41:31Z" + content=""" +great! thanks +"""]] -- cgit v1.2.3