From d9bba6bda1bb4d8b5111a42c9e33159071588d77 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 13 Apr 2016 12:39:57 -0400 Subject: move to todo, and close --- ...compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn | 5 +++++ .../comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment | 14 ++++++++++++++ .../comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment | 7 +++++++ 3 files changed, 26 insertions(+) create mode 100644 doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn create mode 100644 doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment create mode 100644 doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment (limited to 'doc/todo') diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn new file mode 100644 index 00000000..d8493b27 --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn @@ -0,0 +1,5 @@ +The recent dependency on concurrent-output adding implies downloading, compiling, and executing as root of many (MissingH, hslogger, process, unix-compat, network, directory, ansi-terminal, unix, ...) unstrusted sources. This seems like a huge security problem... + +Are these at least downloaded using https? + +> [[done]] --[[Joey]] diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment new file mode 100644 index 00000000..39836219 --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment @@ -0,0 +1,14 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2016-04-05T17:19:50Z" + content=""" +Yes, cabal is not secure from MITM. + +I've rethought adding that dependency so soon. I'll change back to bundling +concurrent-output in 3.0.1. + +I can force ghc to build the concurrent-output +module with -O2 as needed to get good memory use, and still let the rest of +propellor build with -O0, which was the main motivation for unbundling it. +"""]] diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment new file mode 100644 index 00000000..5c17f1bb --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment @@ -0,0 +1,7 @@ +[[!comment format=mdwn + username="gueux" + subject="comment 2" + date="2016-04-05T18:41:31Z" + content=""" +great! thanks +"""]] -- cgit v1.2.3