[opam-devel] opam 1.3 status

Hannes Mehnert hannes at mehnert.org
Fri Mar 4 11:46:17 GMT 2016 

Hello,


what I miss from this mail is sandboxing - while "tracking installed
files" is included - but what about containing the build process in a
chroot-like environment (there was somewhere a long discussion what is
suitable and what not on which platforms).  Is anyone putting effort
into this?


Since signing won't make it into 1.3 (or 2.0, however you name it), I'd
like to propose to remove the "--insecure" and "--no-check-certificate"
arguments from the download program [curl/wget] (in
src/repository/opamDownload.ml).

The history of this starts in https://github.com/ocaml/opam/issues/55 -
some sites had invalid/untrusted certificates.  A followup is in
https://github.com/ocaml/opam/issues/2006 .

My reasoning: certificates which are trusted with the OS shipped trust
anchors are nowadays easy to get (let's encrypt hands those out for
free, startssl and others also provide free certificates).  In order to
improve this Internet, it is better to be picky (so that people will
actually fix their https infrastructure).  Also given that some work has
been done to transparently mirror packages, there'll be a (secure!?)
fallback in case package authors mess sth up.

People who don't bother can still manually setup their download tool to
sth which does not check any certificates.  Secure should be the default
(also for downloading the opam repository, which is done via https, but
no certificates are checked).

I'm sure someone (either opam weather status or dockerized scripts, or
the mirror) will be easily able to setup infrastructure to report
archive download failures immediately and report them upstream.


Thanks for working on this, Louis (and others), and I'm looking forward
to a new release really soon now,

hannes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ocaml.org/pipermail/opam-devel/attachments/20160304/2f3d9835/attachment.sig>

More information about the opam-devel mailing list