caml-list - the Caml user's mailing list
 help / color / mirror / Atom feed
From: Louis Gesbert <louis.gesbert@ocamlpro.com>
To: caml-list@inria.fr, John F Carr <jfc@mit.edu>
Subject: Re: [Caml-list] Build-/Installation-Tools - not enogh of them?
Date: Fri, 30 Nov 2018 17:31:18 +0100	[thread overview]
Message-ID: <7429727.XKSIZ6bzdz@agaric> (raw)
In-Reply-To: <469288B6-200B-400D-8BCB-C3C53B0954B3@exchange.mit.edu>

[-- Attachment #1: Type: text/plain, Size: 5603 bytes --]

> - John F Carr, 27/11/2018 13:40 -
> I have a related request.  I am not a trusting person.  I do not like "curl | sudo sh" type installation methods.

You're not the only one :)
Some notes on opam's security model:

- opam 2.0 uses, by default `bubblewrap` [1] on Linux and `sandbox-exec` on OSX to ensure that package scripts:
  * don't make any network access
  * don't interact with other processes
  * don't write outside of their build dir, /tmp, and (in the case of install) the switch prefix (excl. opam files)

- this is done using simple wrapper scripts [2] and some default hooks configuration in ~/.opam/config, so if you know about built-in sandboxing engines for other OSes, it is fairly easy to experiment with them, and a contribution would be very welcome.

- while I expect this to be reasonably secure, it's intended first and foremost to avoid dramatic errors, not to protect against malicious repositories

- package scripts are protected but **not any use made by the users of the programs or libraries that were installed through opam**. In other words, building should be safe, but there is no guarantee about what the result of the build will do: that is not restrained by opam in any way

- the effort to provide end-to-end package signatures in the repository [3] is still ongoing. Cheers to Hannes Mehnert for the awesome work he has already done here. Most of the work should be done, but then we need to integrate all that, and there is a lot of work on the tooling so that it won't add to much burden on users and repository maintainers (this commonly results in most disabling the security features, which is as good has having no security features to begin with).

- we do advertise `curl | sh` on the installation page as the easiest entry point, but the script is quite trivial and only uses root to copy to your prefix; it's very easy to fetch the binary by hand from Github if you prefer not to run it, and of course, you can also build from source using the bootstrap scripts.

> If a package has 'rm -rf $BUILD/', or equivalent ocaml code, are its ill
> effects confined when BUILD is unset?

yes, that's the whole point of the sandboxing that was introduced in 2.0

> Can the build process grab screenshots from the background?

not sure. Probably not on Linux since we use a different process space, but maybe on OSX. In anycase, since network access is blocked in both cases, that wouldn't do much harm.

> One reason I like make is, if the Makefile is simple you know what it's going to do.

I would object that opam package definition files (`opam` or `foo.opam`) should be at least as straightforward to read even if you have never seen the syntax, are less error-prone, and are generally much shorter. Just look for the "build:" and "install:" parts. But I agree you need to know first to look at them, and since they are generally an indirection to some build-system (`make`, `dune`, `topkg`...), you would just start digging...

> Also, the xkcd on standards seems relevant: https://xkcd.com/927/

We have _actually_ been converging as of late, though.


Best,
Louis Gesbert — OCamlPro



[1] https://github.com/projectatomic/bubblewrap
[2] https://github.com/ocaml/opam/blob/master/src/state/shellscripts/bwrap.sh
and https://github.com/ocaml/opam/blob/master/src/state/shellscripts/sandbox_exec.sh
[3] https://github.com/hannesm/conex

> Whatever one true packaging system we use, I want to trust it not to let the build process mess up my system.  For example, I see opam makes some attempt to contain the build process on some systems.  It's not clear to me how much it does and how effective.  And it appaerntly does not work on BSD.  If a package has 'rm -rf $BUILD/', or equivalent ocaml code, are its ill effects confined when BUILD is unset?  Can the build process grab screenshots from the background?  And so on.
> 
> One reason I like make is, if the Makefile is simple you know what it's going to do.
> 
> Also, the xkcd on standards seems relevant: https://xkcd.com/927/
> 
> > On Nov 26, 2018, at 05:14 , Oliver Bandel <oliver@first.in-berlin.de> wrote:
> > 
> > Hello,
> > 
> > a while ago it looked like there were not enough build- and installation-tools
> > for OCaml. I remember some discussions about that.
> > 
> > Now it seems to me that there are a lot of them.
> > So, developers can pick the one they know about.
> > 
> > For all these tools there might be good reasons to use them, and those
> > developers who looked at these tools and choose them for their projects, will
> > know them well enough.
> > 
> > The situation differs, if one wants to package the written software,
> > and one needs to know many of those tools, just to compile the stuff.
> > So, when one just wants to compile and install some software,
> > just for that, it would take much effort to learn the different build-tools.
> > 
> > So, packaging has become more complicated, even though for the developers
> > these tools may save time.
> > 
> > It would be nice if people who used one of the many new building tools
> > could provide a Makefile that allows just to type
> > "make" and "make install", instead of expecting everyone who wants to compile
> > the software to first learn just-another-build-tool.
> > 
> > Also it would be good, to mention early, which installation tools (make-dependencies)
> > are in use, and too mention needed packages (opam or others) to just build the stuff.
> > 
> > Thanks and regards,
> >  Oliver Bandel
> > 
> 
> 
> 

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

  reply	other threads:[~2018-11-30 16:33 UTC|newest]

Thread overview: 70+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-26 10:14 Oliver Bandel
2018-11-26 16:41 ` Yawar Amin
2018-11-26 16:57   ` Julia Lawall
2018-11-26 17:15     ` Yawar Amin
2018-11-26 20:33       ` Julia Lawall
2018-11-26 20:47         ` Yawar Amin
2018-11-26 20:54           ` Julia Lawall
2018-11-26 21:19             ` Yawar Amin
2018-11-26 21:29               ` Julia Lawall
2018-11-26 22:16                 ` SP
2018-11-27  5:24                   ` Malcolm Matalka
2018-11-28  0:20                     ` SP
2018-11-27  6:11                   ` Julia Lawall
2018-11-27  8:45                     ` SF Markus Elfring
2018-11-28  0:04                     ` SP
2018-11-27  9:27                 ` SF Markus Elfring
2018-11-27 10:08                   ` Julia Lawall
2018-11-27 10:28                     ` [Caml-list] Build-/Installation-Tools - not enough " SF Markus Elfring
2018-11-27 10:34                       ` Julia Lawall
2018-11-27 11:05                         ` Jean-Francois Monin
2018-11-27 11:00                           ` Kakadu
2018-11-27 13:18                             ` Malcolm Matalka
2018-11-28  1:52                               ` Francois Berenger
2018-11-28 15:21                             ` Ian Zimmerman
2018-11-27 13:07                     ` [Caml-list] Build-/Installation-Tools - not enogh " Jean-Marc Alliot
2018-12-06 12:21               ` Richard W.M. Jones
2018-12-06 16:10                 ` Yawar Amin
2018-12-06 20:18                   ` Richard W.M. Jones
2018-12-07  7:31                     ` Daniel Bünzli
2018-12-07  7:44                       ` [Caml-list] What happened to the 'ancient' library for OCaml? Francois Berenger
2018-12-07  8:24                         ` Richard W.M. Jones
2018-12-07  8:26                       ` [Caml-list] Build-/Installation-Tools - not enogh of them? Richard W.M. Jones
2018-12-07  9:01                         ` Daniel Bünzli
2018-12-07 13:22                       ` Stéphane Glondu
2018-12-08  0:58                         ` Daniel Bünzli
2018-12-13 23:45                           ` SP
2018-12-11  2:47                         ` Francois Berenger
2018-12-07 13:12                     ` Malcolm Matalka
2018-11-27 14:32             ` Anil Madhavapeddy
2018-11-27 14:35     ` Gerd Stolpmann
2018-11-30 15:23   ` Louis Gesbert
2018-11-26 22:44 ` Jaap Boender
2018-11-26 22:55   ` Simon Cruanes
2018-11-27 13:29     ` Oliver Bandel
2018-11-27 13:45       ` [Caml-list] Build-/Installation tools - not enough " SF Markus Elfring
2018-11-27 15:06       ` [Caml-list] Build-/Installation-Tools - not enogh " Simon Cruanes
2018-11-27 15:49         ` Oliver Bandel
2018-11-27 16:27           ` Daniel Bünzli
2018-11-27 17:46             ` Jaap Boender
2018-11-28 11:47               ` Jeremie Dimino
2018-12-01 15:12                 ` [Caml-list] How to start with the curren toolset? Hendrik Boom
2018-12-01 16:56                   ` Ian Zimmerman
2018-12-02 15:27                   ` Daniel Bünzli
2018-12-02 23:36                     ` David Allsopp
2018-12-03  2:19                     ` [Caml-list] let's give a try at opam-bundle Francois Berenger
2018-12-02 17:44                   ` [Caml-list] confusing message in opam installer Hendrik Boom
2018-12-02 17:50                     ` Julia Lawall
2018-12-05 19:07                       ` Raja Boujbel - OCamlPro
2018-11-27 16:27           ` [Caml-list] Build-/Installation tools - not enough of them? SF Markus Elfring
2018-11-27 17:09           ` [Caml-list] Build-/Installation-Tools - not enogh " Markus Mottl
2018-11-30 12:41             ` [Caml-list] <DKIM> " Vu Ngoc San
2018-12-07 15:19             ` [Caml-list] " oliver
2018-11-27 16:52       ` Hendrik Boom
2018-11-27 14:11     ` Jaap Boender
2018-11-27  2:33   ` Francois Berenger
2018-11-27 13:31     ` Oliver Bandel
2018-11-27 13:40 ` John F Carr
2018-11-30 16:31   ` Louis Gesbert [this message]
2018-12-01  5:01     ` Louis Roché
2018-12-03  0:16     ` Edwin Török

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7429727.XKSIZ6bzdz@agaric \
    --to=louis.gesbert@ocamlpro.com \
    --cc=caml-list@inria.fr \
    --cc=jfc@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).