Documentation building client for cabal-install
duncan.coutts at googlemail.com
Mon Oct 3 16:41:23 CEST 2011
On Wed, 2011-09-28 at 22:26 +0100, Max Bolingbroke wrote:
> Hi Hackagers,
> I've written a rough-and-ready documentation building service for the
> Hackage 2.0 effort. It is functional enough to submit build reports
> and build documentation for a few example packages on my local Hackage
> Duncan: please review+commit! I also had to make some small changes to
> cabal-install that should go into the Cabal repo.
Cool, thanks. That was quick! I only just got back from Tokyo.
Also got your note about the patch to avoid applying.
> Comments/suggestions welcome. There is one major known flaw in that
> the invocation of "cabal install" performed by the builder is not
> sandboxed. So arbitrary user code runs with the same privileges as the
> documentation builder itself. I guess the best solution to this is a
> chroot (to restrict the writeable part of the file system)+timeout?
Yeah, I think this is probably best solved by sys admin stuff rather
than trying to build anything sophisticated into the client itself.
Someone setting this up on a system would want to use some kind of
sandbox, either a vm, a chroot, SELinux policy or whatever else their
system provides. We should probably just provide a big fat warning and
pointers to documentation on various sandbox/container technologies.
More information about the cabal-devel