[opam-devel] opam 1.3 status
Hannes Mehnert
hannes at mehnert.org
Sat Mar 5 12:49:37 GMT 2016
On 05/03/2016 00:56, Louis Gesbert wrote:
> Removing `--insecure`: absolutely, I would be glad to if I get agreement from
> the repository team.
I see that you merged https://github.com/ocaml/opam/pull/2460 (which
removes --insecure/--no-check-certificates ; in which I also reported
statistics about https hosts in opam-repository).
> Sandboxing: we've actually been studying this recently with Grégoire, and it
> seems it's not that difficult to do on Linux, using the namespaces. The related
> features are actually available with just some calls to `unshare` and `mount`,
> and we wrote a quick script that makes ~ read-only, while keeping only the
> build dir read-write, and disabling network. That's for build, for install,
> only the switch prefix should be rw, and the build dir ro. It's absolutely not
> secure for now, but it's a good start.
>
> With that, my idea for 2.0 was to provide a generic way to configure wrappers
> for package commands in the different scopes, document how to put the namespace
> control in place, and do it on our automated tests on Linux: this would allow
> to test the feature well, and provide a good sanity check, if nothing more
> except for opt-in users. This would also allow to try implementations on other
> OSes (I am sure the Docker guys would be glad to help, this is their stuff
> after all ? ;)). If successful, the next release could include it built-in.
>
> How does this sound ?
that sounds great. Thanks for describing the current state!
hannes
More information about the opam-devel
mailing list