[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe)
|
From: |
Oliver Heimlich |
|
Subject: |
Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe) |
|
Date: |
Tue, 31 May 2016 08:09:00 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.7.0 |
On 30.05.2016 15:22, Carlo De Falco wrote:
> On 29 May 2016, at 17:56, Carlo De Falco <address@hidden> wrote:
>> ... I have been
>> looking into the possibility of setting up a package distribution
>> system alternative (or complementary) to OctaveForge or Agora, based
>> on the example of Julia's package repository: http://pkg.julialang.org/
>>
>> I think most of the features of that system are fairly easy to get,
>> but I was stuck thinking at how to get the automatic test system working
>> without security issues ...
>
> On 29 May 2016, at 18:04, Nikola Yuroukov <address@hidden> wrote:
>> What security issues do you anticipate with the automatic test system?
>
> Carlo de Falco-2 wrote
>> If whatever is there is downloaded built and run for testing,
>> how can you prevent dangerous code from being run?
>
> Anyway, feedback from others on the list would be appreciaed on this topic so
> I'm moving
> this discussion to a different thread.
>
> c.
The security issue happens before running automatic tests (we are
talking of BISTs?). You could do the latter with:
pkg ("load", "packagename")
__run_test_suite__ ({pkg("list", "packagename"){}.dir}, {})
As you point out, this will run (unverified) code on the users machine.
However, it is already possible to execute arbitrary code during the pkg
install phase if you put a src/Makefile into the package.
You would need to set up some virtualization for automatic testing (e.
g. containers) to protect against these.
I have tried to find out how Julia handles the security issue. [1, 2]
Every package release requires a pull request on GitHub where the
version hash is added to the meta repository. Before that, the new
version release has been successfully build by TravisCI from the source
repository (as far as I understand this is required, so the particular
tag has been executed to some extend on Travis already).
There is a manual process involved (reviewing pull requests, don't know
if they check for malicious code). Did you plan to have this manual
process in your package distribution system? What would be different
from Octave-Forge?
Oliver
[1] http://docs.julialang.org/en/release-0.4/manual/packages/
[2]
http://www.stochasticlifestyle.com/finalizing-julia-package-documentation-testing-coverage-publishing/
- Re: pdepe, Nikola Yuroukov, 2016/05/29
- Re: pdepe, Nikola Yuroukov, 2016/05/29
- Re: pdepe, Carlo De Falco, 2016/05/29
- Re: pdepe, Nikola Yuroukov, 2016/05/29
- Re: pdepe, Carlo De Falco, 2016/05/29
- Re: pdepe, Sebastian Schöps, 2016/05/29
- Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Carlo De Falco, 2016/05/30
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Juan Pablo Carbajal, 2016/05/30
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Nikola Yuroukov, 2016/05/31
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Carlo De Falco, 2016/05/31
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe),
Oliver Heimlich <=
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Carlo De Falco, 2016/05/31
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Carlo De Falco, 2016/05/31
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Oliver Heimlich, 2016/05/31
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Carlo De Falco, 2016/05/31
- Re: Alternative to Source Forge for Octave Packages (Was : Re: pdepe), Oliver Heimlich, 2016/05/31
Re: pdepe, Carlo De Falco, 2016/05/29