GNU bug report logs - #26645
guix potluck

Previous Next

Full log

Message #178 received at 26645 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Andy Wingo <wingo <at> igalia.com>
Cc: 26645 <at> debbugs.gnu.org
Subject: Re: bug#26645: [PATCH 5/9] potluck: Add ability to load potluck
 package in sandbox.
Date: Thu, 04 May 2017 22:27:09 +0200

Andy Wingo <wingo <at> igalia.com> skribis:

> * guix/potluck/environment.scm: New file.
> * Makefile.am (MODULES): Add new files.
> * guix/potluck/packages.scm (make-potluck-sandbox-module)
>   (eval-in-sandbox): New helpers.
>   (load-potluck-package): New public function.

[...]

> +     ((getenv "GUIX_POTLUCK_NO_SANDBOX")
> +      (warn "No sandbox available; be warned!!!")

Perhaps this should use ‘warning’ from (guix ui).

> +;; Because potluck package definitions come from untrusted parties, they need
> +;; to be sandboxed to prevent them from harming the host system.
> +(define* (load-potluck-package file #:key
> +                               (time-limit 1)
> +                               (allocation-limit 50e6))
> +  "Read a sequence of Scheme expressions from @var{file} and evaluate them in
> +a potluck sandbox.  The result of evaluating that expression sequence should
> +be a potluck package.  Any syntax error reading the expressions or run-time
> +error evaluating the expressions will throw an exception.  The resulting
> +potluck package will be validated with @code{validate-potluck-package}."

Could you add a couple of tests in tests/potluck-package.scm for this
part, or maybe for ‘eval-in-sandbox’?

Otherwise LGTM, thank you!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.