[gentoo-dev] EAPI change: Call ebuild functions from trusted working directory

[gentoo-dev] EAPI change: Call ebuild functions from trusted working directory

[Robert Buchholz]

[-- Attachment #1: Type: text/plain, Size: 1182 bytes --]

Hello,

currently, PMS section 10.1 states:

  Some functions may assume that their initial working directory is
  set to a particular location; these are noted below.
  If no initial working directory is mandated, it may be set to
  anything and the ebuild must not rely upon a particular location
  for it.

Please consider the following addition to this paragraph:

  The ebuild can rely that the chosen initial working direcotry is
  a trusted location that is not world-writable and owned by
  a privileged user and group.

This change affects all pkg_ functions.

Rationale:
This feature presents a security hardening to work around 
vulnerabilities in ebuilds and applications called by ebuilds, and the 
Gentoo Security Team considers this the official solution to
bug 239560 / GLSA 200810-02.

I would like:
 * everyone to comment on the change and propose changes to the wording
 * council to vote on this change to EAPI-0, -1 and -2.

Portage implements this in 2.1.4.5 and 2.2_rc12, Paludis in 0.30.2.
I have not heard back from Brian on pkgcore (because this issue has been 
disclosed to him on a really short notice).

Thanks,
Robert

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 835 bytes --]

Re: [gentoo-dev] EAPI change: Call ebuild functions from trusted working directory

[Donnie Berkholz]

[-- Attachment #1: Type: text/plain, Size: 620 bytes --]

On 21:03 Thu 09 Oct     , Robert Buchholz wrote:
> I would like:
>  * everyone to comment on the change and propose changes to the wording
>  * council to vote on this change to EAPI-0, -1 and -2.

It seems to me that this is an EAPI=0 change. Since EAPI=1 and EAPI=2 
are just differences to EAPI=0, they wouldn't be voted on. Since EAPI=0 
isn't actually approved yet, council wouldn't vote either. As it's a 
draft standard, this would be resolved amongst package-manager 
developers and PMS editors.

-- 
Thanks,
Donnie

Donnie Berkholz
Developer, Gentoo Linux
Blog: http://dberkholz.wordpress.com

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-dev] EAPI change: Call ebuild functions from trusted working directory

[Wulf C. Krueger]

[-- Attachment #1.1: Type: text/plain, Size: 831 bytes --]

On Monday, 13. October 2008 19:42:21 Donnie Berkholz wrote:
> Since EAPI=0 isn't actually approved yet, council wouldn't vote 
> either. As it's a draft standard, this would be resolved amongst
> package-manager developers and PMS editors.

So, EAPI-2 had to be approved before it could be used in the tree. EAPI-0 
isn't "actually approved yet", though, so it must not be used in the tree, 
right? ;-)

And since EAPI-1 builds upon EAPI-0, that's not acceptable in the tree 
either.

(And, btw, the former council decided there wouldn't be any new EAPIs 
before EAPI-0 wasn't approved.)

While I agree with your intention of letting people decide upon the stuff 
they have to work with mostly on their own and with each other, I think 
your argument, Donnie, is rather "interesting". :-)

Best regards, Wulf


[-- Attachment #1.2: Type: text/html, Size: 2184 bytes --]

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-dev] EAPI change: Call ebuild functions from trusted working directory

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

On Mon, 13 Oct 2008 10:42:21 -0700
Donnie Berkholz <dberkholz@gentoo.org> wrote:
> It seems to me that this is an EAPI=0 change. Since EAPI=1 and EAPI=2 
> are just differences to EAPI=0, they wouldn't be voted on. Since
> EAPI=0 isn't actually approved yet, council wouldn't vote either. As
> it's a draft standard, this would be resolved amongst package-manager 
> developers and PMS editors.

It's a retroactive change to EAPI 0 that requires changes from package
managers and has security implications... Robert isn't requesting that
we specify and mandate existing behaviour here, so it's not really
something that should be left up to PMS to decide and enforce.

I mean, if the Council's comfortable with PMS being used to force
package manager changes for things that aren't obviously bugs, we could
do it without asking, but that looks a lot like a slippery slope...

-- 
Ciaran McCreesh

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-dev] EAPI change: Call ebuild functions from trusted working directory

[Donnie Berkholz]

[-- Attachment #1: Type: text/plain, Size: 1228 bytes --]

On 20:20 Mon 13 Oct     , Wulf C. Krueger wrote:
> On Monday, 13. October 2008 19:42:21 Donnie Berkholz wrote:
> > Since EAPI=0 isn't actually approved yet, council wouldn't vote 
> > either. As it's a draft standard, this would be resolved amongst
> > package-manager developers and PMS editors.
> 
> So, EAPI-2 had to be approved before it could be used in the tree. EAPI-0 
> isn't "actually approved yet", though, so it must not be used in the tree, 
> right? ;-)

EAPI=0 was grandfathered in, it's unlike any new set of features.

> And since EAPI-1 builds upon EAPI-0, that's not acceptable in the tree 
> either.
> 
> (And, btw, the former council decided there wouldn't be any new EAPIs 
> before EAPI-0 wasn't approved.)

I think that was done under the assumption that EAPI=0 would actually be 
finished sometime soon. It's now been 8 months since that discussion. I 
disagree with halting forward progress on something directly relevant to 
all ebuild developers (important future ebuild features) to specify 
existing behavior. I think specifications are useful but are not a 
blocker.

-- 
Thanks,
Donnie

Donnie Berkholz
Developer, Gentoo Linux
Blog: http://dberkholz.wordpress.com

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-dev] EAPI change: Call ebuild functions from trusted working directory

[Robert Buchholz]

[-- Attachment #1: Type: text/plain, Size: 1247 bytes --]

On Monday 13 October 2008, Ciaran McCreesh wrote:
> On Mon, 13 Oct 2008 10:42:21 -0700
>
> Donnie Berkholz <dberkholz@gentoo.org> wrote:
> > It seems to me that this is an EAPI=0 change. Since EAPI=1 and
> > EAPI=2 are just differences to EAPI=0, they wouldn't be voted on.
> > Since EAPI=0 isn't actually approved yet, council wouldn't vote
> > either. As it's a draft standard, this would be resolved amongst
> > package-manager developers and PMS editors.
>
> It's a retroactive change to EAPI 0 that requires changes from
> package managers and has security implications... Robert isn't
> requesting that we specify and mandate existing behaviour here, so
> it's not really something that should be left up to PMS to decide and
> enforce.

All package manager developers have implemented this change, and PMS 
editors have not objected to adding it to the spec. If Ciaran is 
uncomfortable with adding this change, I would like council to sign off 
on it. If council will not add this to the agenda, please state so and 
I hope the PMS folks can add it to the spec without a vote.

Furthermore, what are the blockers to vote on PMS as a draft standard 
for EAPI=0 ? Is there a timeframe for its ratification?

Robert

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 835 bytes --]

Re: [gentoo-dev] EAPI change: Call ebuild functions from trusted working directory

[Robert Buchholz]

[-- Attachment #1: Type: text/plain, Size: 999 bytes --]

On Friday 17 October 2008, Robert Buchholz wrote:
> On Monday 13 October 2008, Ciaran McCreesh wrote:
> > It's a retroactive change to EAPI 0 that requires changes from
> > package managers and has security implications... Robert isn't
> > requesting that we specify and mandate existing behaviour here, so
> > it's not really something that should be left up to PMS to decide
> > and enforce.
>
> All package manager developers have implemented this change, and PMS
> editors have not objected to adding it to the spec. If Ciaran is
> uncomfortable with adding this change, I would like council to sign
> off on it. If council will not add this to the agenda, please state
> so and I hope the PMS folks can add it to the spec without a vote.
>
> Furthermore, what are the blockers to vote on PMS as a draft standard
> for EAPI=0 ? Is there a timeframe for its ratification?

Has this been discussed in the last council meeting?
If not, can you please give a reply for the questions above?


Robert

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 835 bytes --]