Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tracking cbits in the hackage ecosystem #162

Open
hasufell opened this issue Mar 12, 2024 · 1 comment
Open

Tracking cbits in the hackage ecosystem #162

hasufell opened this issue Mar 12, 2024 · 1 comment

Comments

@hasufell
Copy link
Member

hasufell commented Mar 12, 2024

Following #157 I think it's clear that bundled c sources are an issue.

I've been advocating against it for a long time, but there are cases where the alternative is basically leaving the end user alone with compiling a system library from source. Further discussion happened here https://discourse.haskell.org/t/haskell-cryptography-group-botan-the-first-milestone/9018/11

I think the least worst option is to create packages like bzip2-clib that do nothing but install headers and allow linking against the upstream code with no Haskell pieces whatsoever. These can be more easily tracked and shared maintenance is not an issue.

What should the sec team do here? I think there are three potential missions:

  • publish recommendations for package maintainers (including the cbits topic)
  • create tools to track such pure cbits packages against upstream versions (which is easy, since the cbits version is corresponding to the upstream versions)
  • have a list of packages that bundle cbits in non-pure ways (here it's hard to figure out if code is outdated or vulnerable)
@frasertweedale
Copy link
Collaborator

Thanks, these are all good suggestions. We will discuss it at the next SRT meeting and decide the priorities and next steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants