On Wed, 2011-09-28 at 22:26 +0100, Max Bolingbroke wrote: > Hi Hackagers, > > I've written a rough-and-ready documentation building service for the > Hackage 2.0 effort. It is functional enough to submit build reports > and build documentation for a few example packages on my local Hackage > instance. > > Duncan: please review+commit! I also had to make some small changes to > cabal-install that should go into the Cabal repo.
Cool, thanks. That was quick! I only just got back from Tokyo. Also got your note about the patch to avoid applying. > Comments/suggestions welcome. There is one major known flaw in that > the invocation of "cabal install" performed by the builder is not > sandboxed. So arbitrary user code runs with the same privileges as the > documentation builder itself. I guess the best solution to this is a > chroot (to restrict the writeable part of the file system)+timeout? Yeah, I think this is probably best solved by sys admin stuff rather than trying to build anything sophisticated into the client itself. Someone setting this up on a system would want to use some kind of sandbox, either a vm, a chroot, SELinux policy or whatever else their system provides. We should probably just provide a big fat warning and pointers to documentation on various sandbox/container technologies. Duncan _______________________________________________ cabal-devel mailing list cabal-devel@haskell.org http://www.haskell.org/mailman/listinfo/cabal-devel
