Hi there, Thanks for your interest. I recommend checking out a copy of the svn wiki repo and using chicken-doc-admin to import it, instead of using the tarball. For details see the Quick Start section in https://api.call-cc.org/5/doc/chicken-doc-admin.
Or, extract the tarball somewhere in your home directory with normal user permissions, and set CHICKEN_DOC_REPOSITORY to the extraction path, as mentioned in the documentation. You may also use the public server https://api.call-cc.org if browser based docs are ok. Jim > On May 8, 2021, at 2:49 PM, Lassi Kortela <la...@lassi.io> wrote: > > Currently https://wiki.call-cc.org/eggref/5/chicken-doc instructs users to > run: > > curl https://3e8.org/pub/chicken-doc/chicken-doc-repo-5.tgz | sudo tar zx > > in a directory that's often located within /usr. This is not ideal from a > security perspective, especially given that that the remote file changes > daily so some users can be expected to repeat the command lots of times. > > An immediate safeguard is to edit the wiki page to add the verbose flag to > the suggested tar command, causing it to show the pathnames of all the files > it extracts. > > For a proper fix, could chicken-doc be modified to download the tar file, > sanity-check its contents, and unpack it safely into the user's home > directory instead? > > Alternatively, if the documentation is shipped in some kind of file format > with an index for fast lookup, it doesn't need to be extracted into multiple > files at all. There are reasonably simple databases like CDB and Berkeley DB > for jobs like this. > > -l >