[opam-devel] opam 1.3 status

Hannes Mehnert hannes at mehnert.org
Sat Mar 5 12:49:37 GMT 2016


On 05/03/2016 00:56, Louis Gesbert wrote:
> Removing `--insecure`: absolutely, I would be glad to if I get agreement from 
> the repository team.

I see that you merged https://github.com/ocaml/opam/pull/2460 (which
removes --insecure/--no-check-certificates ; in which I also reported
statistics about https hosts in opam-repository).

> Sandboxing: we've actually been studying this recently with Grégoire, and it 
> seems it's not that difficult to do on Linux, using the namespaces. The related 
> features are actually available with just some calls to `unshare` and `mount`, 
> and we wrote a quick script that makes ~ read-only, while keeping only the 
> build dir read-write, and disabling network. That's for build, for install, 
> only the switch prefix should be rw, and the build dir ro. It's absolutely not 
> secure for now, but it's a good start.
> 
> With that, my idea for 2.0 was to provide a generic way to configure wrappers 
> for package commands in the different scopes, document how to put the namespace 
> control in place, and do it on our automated tests on Linux: this would allow 
> to test the feature well, and provide a good sanity check, if nothing more 
> except for opt-in users. This would also allow to try implementations on other 
> OSes (I am sure the Docker guys would be glad to help, this is their stuff 
> after all ? ;)). If successful, the next release could include it built-in.
> 
> How does this sound ?

that sounds great.  Thanks for describing the current state!

hannes



More information about the opam-devel mailing list