What's next?

Iustin Pop iusty at k1024.org
Thu Sep 5 23:54:53 CEST 2013


On Thu, Sep 05, 2013 at 12:18:15PM -0700, Johan Tibell wrote:
> On Thu, Sep 5, 2013 at 12:06 PM, Iustin Pop <iusty at k1024.org> wrote:
> > On Wed, Sep 04, 2013 at 09:14:03PM -0700, Johan Tibell wrote:
> >> ## Do the right thing automatically
> >>
> >> The focus here should be on avoiding manual steps the cabal could do
> >> for the user.
> >>
> >>  * Automatically install dependencies when needed. When `cabal build`
> >> would fail due to a missing dependency, just install this dependency
> >> instead of bugging the user to do it. This will probably have to be
> >> limited to sandboxes where we can't break the user's system
> >
> > I'm not sure if here by sandbox and break you mean break the
> > cabal/package installation, or protect against malicious code.
> >
> > If it's not the latter (and even if it is, how safe are the sandboxes?),
> > I would argue that until cabal can verify authenticity of downloaded
> > archives, it would be better to not do this automatically. Maybe add a
> > new command, cabal fetch-deps or something like that, that can do it,
> > but leave 'cabal build' as a "safe" command.
> 
> By break I mean break the package DB by forcefully re-installing a
> package. In a sandbox this is safe, as we have a single install plan
> for the whole sandbox and it's always safe to reinstall everything if
> need be.

Ack.

> As for security I don't think this is much less secure than telling
> the user to type 'cabal install' manually. We better focus our
> security efforts on making sure we speak HTTPS to Hackage, validate
> uploads there, etc. For the extra security conscious we can add a
> `no-automatic-downloads` setting to ~/.cabal/config.

I (personally) would still think no-automatic-downloads should be the
default, but if it's properly announced in the release notes and if it
can be disabled, then sounds good.

thanks,
iustin




More information about the cabal-devel mailing list