diff options
| author | Joey Hess <joeyh@joeyh.name> | 2016-04-13 12:39:57 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2016-04-13 12:39:57 -0400 |
| commit | d9bba6bda1bb4d8b5111a42c9e33159071588d77 (patch) | |
| tree | 1ea9018023c494fa69eee883044d55c95820fa9b /doc/todo | |
| parent | 230aef7c9cc53476ac1a768f337c936308d2c930 (diff) | |
move to todo, and close
Diffstat (limited to 'doc/todo')
3 files changed, 26 insertions, 0 deletions
diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn new file mode 100644 index 00000000..d8493b27 --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root.mdwn @@ -0,0 +1,5 @@ +The recent dependency on concurrent-output adding implies downloading, compiling, and executing as root of many (MissingH, hslogger, process, unix-compat, network, directory, ansi-terminal, unix, ...) unstrusted sources. This seems like a huge security problem... + +Are these at least downloaded using https? + +> [[done]] --[[Joey]] diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment new file mode 100644 index 00000000..39836219 --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_1_683c5b754fd7922ff3193a2f8bc6fd2e._comment @@ -0,0 +1,14 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2016-04-05T17:19:50Z" + content=""" +Yes, cabal is not secure from MITM. + +I've rethought adding that dependency so soon. I'll change back to bundling +concurrent-output in 3.0.1. + +I can force ghc to build the concurrent-output +module with -O2 as needed to get good memory use, and still let the rest of +propellor build with -O0, which was the main motivation for unbundling it. +"""]] diff --git a/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment new file mode 100644 index 00000000..5c17f1bb --- /dev/null +++ b/doc/todo/concurrent-output_dependency_implies_compilation_of_a_lot_of_unstrusted_sources_as_root/comment_2_bd695a2e9ab90b355a71388dc6e7205d._comment @@ -0,0 +1,7 @@ +[[!comment format=mdwn + username="gueux" + subject="comment 2" + date="2016-04-05T18:41:31Z" + content=""" +great! thanks +"""]] |