caml-list - the Caml user's mailing list
 help / Atom feed
From: Louis Roché <louis@louisroche.net>
To: caml-list@inria.fr
Subject: Re: [Caml-list] Build-/Installation-Tools - not enogh of them?
Date: Sat, 01 Dec 2018 15:01:44 +1000
Message-ID: <1543640504.1470432.1595095128.5C9A92F8@webmail.messagingengine.com> (raw)
In-Reply-To: <7429727.XKSIZ6bzdz@agaric>

[-- Attachment #1: Type: text/plain, Size: 6484 bytes --]

Shameless plug, I tried to document basic opam usage for people who have
experience with npm. It turns ok it can also be an introduction to total
newcomers. Hope it can help some people.
https://khady.info/opam-npm.html


On Sat, Dec 1, 2018, at 2:31 AM, Louis Gesbert wrote:
>> - John F Carr, 27/11/2018 13:40 -
>> I have a related request.  I am not a trusting person.  I do not like
>> "curl | sudo sh" type installation methods.> 
> You're not the only one :)
> Some notes on opam's security model:
> 
> - opam 2.0 uses, by default `bubblewrap` [1] on Linux and `sandbox-
>   exec` on OSX to ensure that package scripts:>   * don't make any network access
>   * don't interact with other processes
>   * don't write outside of their build dir, /tmp, and (in the case of
>     install) the switch prefix (excl. opam files)> 
> - this is done using simple wrapper scripts [2] and some default hooks
>   configuration in ~/.opam/config, so if you know about built-in
>   sandboxing engines for other OSes, it is fairly easy to experiment
>   with them, and a contribution would be very welcome.> 
> - while I expect this to be reasonably secure, it's intended first and
>   foremost to avoid dramatic errors, not to protect against malicious
>   repositories> 
> - package scripts are protected but **not any use made by the users of
>   the programs or libraries that were installed through opam**. In
>   other words, building should be safe, but there is no guarantee
>   about what the result of the build will do: that is not restrained
>   by opam in any way> 
> - the effort to provide end-to-end package signatures in the
>   repository [3] is still ongoing. Cheers to Hannes Mehnert for the
>   awesome work he has already done here. Most of the work should be
>   done, but then we need to integrate all that, and there is a lot of
>   work on the tooling so that it won't add to much burden on users and
>   repository maintainers (this commonly results in most disabling the
>   security features, which is as good has having no security features
>   to begin with).> 
> - we do advertise `curl | sh` on the installation page as the easiest
>   entry point, but the script is quite trivial and only uses root to
>   copy to your prefix; it's very easy to fetch the binary by hand from
>   Github if you prefer not to run it, and of course, you can also
>   build from source using the bootstrap scripts.> 
>> If a package has 'rm -rf $BUILD/', or equivalent ocaml code, are
>> its ill>> effects confined when BUILD is unset?
> 
> yes, that's the whole point of the sandboxing that was
> introduced in 2.0> 
>> Can the build process grab screenshots from the background?
> 
> not sure. Probably not on Linux since we use a different process
> space, but maybe on OSX. In anycase, since network access is blocked
> in both cases, that wouldn't do much harm.> 
>> One reason I like make is, if the Makefile is simple you know what
>> it's going to do.> 
> I would object that opam package definition files (`opam` or
> `foo.opam`) should be at least as straightforward to read even if you
> have never seen the syntax, are less error-prone, and are generally
> much shorter. Just look for the "build:" and "install:" parts. But I
> agree you need to know first to look at them, and since they are
> generally an indirection to some build-system (`make`, `dune`,
> `topkg`...), you would just start digging...> 
>> Also, the xkcd on standards seems relevant: https://xkcd.com/927/
> 
> We have __actually__ been converging as of late, though.
> 
> 
> Best,
> Louis Gesbert — OCamlPro
> 
> 
> 
> [1] https://github.com/projectatomic/bubblewrap
> [2] https://github.com/ocaml/opam/blob/master/src/state/shellscripts/bwrap.sh> and
> https://github.com/ocaml/opam/blob/master/src/state/shellscripts/sandbox_exec.sh> [3] https://github.com/hannesm/conex
> 
>> Whatever one true packaging system we use, I want to trust it not to
>> let the build process mess up my system.  For example, I see opam
>> makes some attempt to contain the build process on some systems.
>> It's not clear to me how much it does and how effective.  And it
>> appaerntly does not work on BSD.  If a package has 'rm -rf $BUILD/',
>> or equivalent ocaml code, are its ill effects confined when BUILD is
>> unset?  Can the build process grab screenshots from the background?
>> And so on.>> 
>> One reason I like make is, if the Makefile is simple you know what
>> it's going to do.>> 
>> Also, the xkcd on standards seems relevant: https://xkcd.com/927/
>> 
>>> On Nov 26, 2018, at 05:14 , Oliver Bandel <oliver@first.in-
>>> berlin.de> wrote:>>> 
>>> Hello,
>>> 
>>> a while ago it looked like there were not enough build- and
>>> installation-tools>>> for OCaml. I remember some discussions about that.
>>> 
>>> Now it seems to me that there are a lot of them.
>>> So, developers can pick the one they know about.
>>> 
>>> For all these tools there might be good reasons to use them,
>>> and those>>> developers who looked at these tools and choose them for their
>>> projects, will>>> know them well enough.
>>> 
>>> The situation differs, if one wants to package the written software,>>> and one needs to know many of those tools, just to compile the
>>> stuff.>>> So, when one just wants to compile and install some software,
>>> just for that, it would take much effort to learn the different build-
>>> tools.>>> 
>>> So, packaging has become more complicated, even though for the
>>> developers>>> these tools may save time.
>>> 
>>> It would be nice if people who used one of the many new
>>> building tools>>> could provide a Makefile that allows just to type
>>> "make" and "make install", instead of expecting everyone who wants
>>> to compile>>> the software to first learn just-another-build-tool.
>>> 
>>> Also it would be good, to mention early, which installation tools
>>> (make-dependencies)>>> are in use, and too mention needed packages (opam or others) to just
>>> build the stuff.>>> 
>>> Thanks and regards,
>>> Oliver Bandel
>>> 
>> 
>> 
>> 
> Email had 1 attachment:


>  * signature.asc 1k (application/pgp-signature)

-- 
Caml-list mailing list.  Subscription management and archives:
https://sympa.inria.fr/sympa/arc/caml-list https://inbox.ocaml.org/caml-list
Forum: https://discuss.ocaml.org/
Bug reports: http://caml.inria.fr/bin/caml-bugs

[-- Attachment #2: Type: text/html, Size: 8228 bytes --]

  reply index

Thread overview: 70+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-26 10:15 Oliver Bandel
2018-11-26 16:41 ` Yawar Amin
2018-11-26 16:58   ` Julia Lawall
2018-11-26 17:16     ` Yawar Amin
2018-11-26 20:33       ` Julia Lawall
2018-11-26 20:48         ` Yawar Amin
2018-11-26 20:54           ` Julia Lawall
2018-11-26 21:19             ` Yawar Amin
2018-11-26 21:29               ` Julia Lawall
2018-11-26 22:16                 ` SP
2018-11-27  5:24                   ` Malcolm Matalka
2018-11-28  0:21                     ` SP
2018-11-27  6:11                   ` Julia Lawall
2018-11-27  8:46                     ` SF Markus Elfring
2018-11-28  0:04                     ` SP
2018-11-27  9:27                 ` SF Markus Elfring
2018-11-27 10:08                   ` Julia Lawall
2018-11-27 10:28                     ` [Caml-list] Build-/Installation-Tools - not enough " SF Markus Elfring
2018-11-27 10:34                       ` Julia Lawall
2018-11-27 11:05                         ` Jean-Francois Monin
2018-11-27 11:11                           ` Kakadu
2018-11-27 13:19                             ` Malcolm Matalka
2018-11-28  1:53                               ` Francois Berenger
2018-11-28 15:37                             ` Ian Zimmerman
2018-11-27 13:07                     ` [Caml-list] Build-/Installation-Tools - not enogh " Jean-Marc Alliot
2018-12-06 12:21               ` Richard W.M. Jones
2018-12-06 16:11                 ` Yawar Amin
2018-12-06 20:18                   ` Richard W.M. Jones
2018-12-07  7:31                     ` Daniel Bünzli
2018-12-07  7:45                       ` [Caml-list] What happened to the 'ancient' library for OCaml? Francois Berenger
2018-12-07  8:24                         ` Richard W.M. Jones
2018-12-07  8:27                       ` [Caml-list] Build-/Installation-Tools - not enogh of them? Richard W.M. Jones
2018-12-07  9:01                         ` Daniel Bünzli
2018-12-07 13:22                       ` Stéphane Glondu
2018-12-08  0:58                         ` Daniel Bünzli
2018-12-13 23:45                           ` SP
2018-12-11  2:47                         ` Francois Berenger
2018-12-07 13:12                     ` Malcolm Matalka
2018-11-27 14:33             ` Anil Madhavapeddy
2018-11-27 14:36     ` Gerd Stolpmann
2018-11-30 16:01   ` Louis Gesbert
2018-11-26 22:44 ` Jaap Boender
2018-11-26 22:54   ` Simon Cruanes
2018-11-27 13:29     ` Oliver Bandel
2018-11-27 13:45       ` [Caml-list] Build-/Installation tools - not enough " SF Markus Elfring
2018-11-27 15:06       ` [Caml-list] Build-/Installation-Tools - not enogh " Simon Cruanes
2018-11-27 15:49         ` Oliver Bandel
2018-11-27 16:27           ` Daniel Bünzli
2018-11-27 17:46             ` Jaap Boender
2018-11-28 11:48               ` Jeremie Dimino
2018-12-01 15:12                 ` [Caml-list] How to start with the curren toolset? Hendrik Boom
2018-12-01 17:07                   ` Ian Zimmerman
2018-12-02 15:27                   ` Daniel Bünzli
2018-12-02 23:36                     ` David Allsopp
2018-12-03  2:19                     ` [Caml-list] let's give a try at opam-bundle Francois Berenger
2018-12-02 17:44                   ` [Caml-list] confusing message in opam installer Hendrik Boom
2018-12-02 17:50                     ` Julia Lawall
2018-12-05 19:09                       ` Raja Boujbel - OCamlPro
2018-11-27 16:27           ` [Caml-list] Build-/Installation tools - not enough of them? SF Markus Elfring
2018-11-27 17:11           ` [Caml-list] Build-/Installation-Tools - not enogh " Markus Mottl
2018-11-30 12:41             ` [Caml-list] <DKIM> " Vu Ngoc San
2018-12-07 15:19             ` [Caml-list] " oliver
2018-11-27 16:52       ` Hendrik Boom
2018-11-27 14:11     ` Jaap Boender
2018-11-27  2:33   ` Francois Berenger
2018-11-27 13:31     ` Oliver Bandel
2018-11-27 13:40 ` John F Carr
2018-11-30 16:33   ` Louis Gesbert
2018-12-01  5:01     ` Louis Roché [this message]
2018-12-03  0:16     ` Edwin Török

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1543640504.1470432.1595095128.5C9A92F8@webmail.messagingengine.com \
    --to=louis@louisroche.net \
    --cc=caml-list@inria.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

caml-list - the Caml user's mailing list

Archives are clonable: git clone --mirror https://inbox.ocaml.org/caml-list

AGPL code for this site: git clone https://public-inbox.org/ public-inbox