Adam Kennedy wrote:
> 2009/1/26 Nicholas Clark <n...@ccl4.org>:
>> On Mon, Jan 26, 2009 at 09:15:38PM +1100, Adam Kennedy wrote:
>>> Unfortunately, any configuration language would eventually trend
>>> towards being turing complete, and thus the final end-point for the
>>> configuration language ends up with us just using Perl for the
>>> mini-language :)
>> I thought "yes, but Perl has side effects, which means security holes,
>> whereas
>> a mini language could be constrained that it has no side effects - its given
>> fixed input about the environment, and the only output is an end state
>> data structure." The only risk from that is a denial of service from using
>> too much CPU or RAM? Which means monitor both.
>>
>> But then I thought that it *still* isn't useful, as the very task that the
>> configure system wants to do is inspect the installed system its running on,
>> which means that it will always end up wanting a bit more input state. And
>> even providing read-only access to a file system isn't enough, as pretty soon
>> someone wants to know "does this code compile against that library?" and so
>> a sandboxed language doesn't fulfill the tasks required of it.
>
> Yup, that's pretty much where you end up going whenever you run the
> thought experiment through to completion.
A while ago, Audrey suggested inverting the process. Rather than having a
program that spits out meta-data, have meta-data which might contain programs.
Why is this useful? If you have a program it can do anything, this is the
basic Makefile.PL/Build.PL/configure security hole.
If you have meta-data that might run programs, you can be alerted before it
does so. You can have policies about whether you want that code run. You can
have defaults in case the code isn't run. You can absorb common bits of code
into the meta-language so people don't need to write custom code for it any
more. And the code snippets will be shorter and easier to eyeball for both
security audits and debugging.
For example...
name: Foo-Bar
version: from('lib/Foo/Bar.pm')
abstract: from('lib/Foo/Bar.pm')
authors:
- Michael G Schwern <schw...@pobox.com>
license: perl
requires:
everywhere:
File::Spec: 0.8
perl: 5.6.1
os_is('Win32'):
Win32::Thing: 1.23
sub { -x "/usr/bin/mysql" }:
DBD::mysql: 0
And then we might absorb checks for binary programs into a which("mysql")
meta-language function going forward. Or even something that probes the
native package manager.
Because this is still dynamic, it may spit out a METALocal.yml to record its
decisions.
--
44. I am not the atheist chaplain.
-- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army
http://skippyslist.com/list/
