Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cabal check errors on git:// #10659

Closed
phadej opened this issue Dec 20, 2024 · 6 comments
Closed

cabal check errors on git:// #10659

phadej opened this issue Dec 20, 2024 · 6 comments

Comments

@phadej
Copy link
Collaborator

phadej commented Dec 20, 2024

The following errors are likely to affect your build negatively:
Error: [git-protocol] Cloning over git:// might lead to an arbitrary code
execution vulnerability. Furthermore, popular forges like GitHub do not
support it. Use https:// or ssh:// instead.

That won't affect build negatively when the package is fetched from Hackage. This should not be an error, at most a warning. (Like specifying -O2).

@ffaf1
Copy link
Collaborator

ffaf1 commented Dec 20, 2024

PR #10261, there has been a discussion there too.

Sources:

Reading the Git Book, there really seems no good reason to use git://, and great risks (abritrary code execution!); definitely a thing we want to warn a user about (and incidentally definitely something I would not like to land in Hackage).

On the contrary -O2 has legitimate uses, thus check is less strict about it:

Warning: [option-o2] 'ghc-options: -O2' is rarely needed. Check that it is giving a
real benefit and not just imposing longer compile times on your users.

Can you tell us more about your use case?

@phadej
Copy link
Collaborator Author

phadej commented Dec 20, 2024

Can you tell us more about your use case?

Old package had git://. Suddenly cabal check started to fail.

Reading the Git Book, there really seems no good reason to use

Currently, the only use case for source-repository in .cabal file is informative. I'd be surprised if anyone uses it any automatic way. Hard failing just because the informative field is missing is bad. You don't fail if maintainer field (another informative field) is missing or isn't an email address or ...

@ulysses4ever
Copy link
Collaborator

I'd be surprised if anyone uses it any automatic way

I seem to remember @mpickering and/or @alt-romes using this field in an automatic way when testing the new project file parser iirc.

@ffaf1
Copy link
Collaborator

ffaf1 commented Dec 20, 2024

Yes I suspect cabal get -s uses that.

In general, even if the user is only cutting and pasting that to feed it to git clone, I see the mild, one-time inconvenience of a package maintainer versus the risk of arbitrary code execution for users.

@phadej
Copy link
Collaborator Author

phadej commented Dec 20, 2024

Yes I suspect cabal get -s uses that.

The cabal get should then warn / abort if it's going to do something unsafe. If it does, then fine, cabal check can error on git:// in source-repository; otherwise that error is hypocritical.

@ffaf1
Copy link
Collaborator

ffaf1 commented Dec 20, 2024

That makes sense.

I can look into that, if you open a new issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants