Hello,
what I miss from this mail is sandboxing - while "tracking installed files" is included - but what about containing the build process in a chroot-like environment (there was somewhere a long discussion what is suitable and what not on which platforms). Is anyone putting effort into this? Since signing won't make it into 1.3 (or 2.0, however you name it), I'd like to propose to remove the "--insecure" and "--no-check-certificate" arguments from the download program [curl/wget] (in src/repository/opamDownload.ml). The history of this starts in https://github.com/ocaml/opam/issues/55 - some sites had invalid/untrusted certificates. A followup is in https://github.com/ocaml/opam/issues/2006 . My reasoning: certificates which are trusted with the OS shipped trust anchors are nowadays easy to get (let's encrypt hands those out for free, startssl and others also provide free certificates). In order to improve this Internet, it is better to be picky (so that people will actually fix their https infrastructure). Also given that some work has been done to transparently mirror packages, there'll be a (secure!?) fallback in case package authors mess sth up. People who don't bother can still manually setup their download tool to sth which does not check any certificates. Secure should be the default (also for downloading the opam repository, which is done via https, but no certificates are checked). I'm sure someone (either opam weather status or dockerized scripts, or the mirror) will be easily able to setup infrastructure to report archive download failures immediately and report them upstream. Thanks for working on this, Louis (and others), and I'm looking forward to a new release really soon now, hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ opam-devel mailing list [email protected] http://lists.ocaml.org/listinfo/opam-devel
