New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should Pkg.clone run Pkg.build? #12891
Comments
IMO, it should. If I didn't want to run the build, it should maybe accept a keyword argument to stop that, but I've never not wanted to do the build. This can cause trouble when people are playing around on Travis too, I've observed. |
+1. I've wanted this several times as well (when TimeZones.jl was being developed, for example) |
I can't think of a downside. |
+1. Of course, |
+1 |
No, it shouldn't. Security and integrity is a major concern. I case of a registered package there is a bit of trust in a package, that it works correctly, because of developer's effort of putting the package into the public repository, METADATA, (which of course could be with a malicious intent). At least, there is a light review process for METADATA submission which could identify some package inconsistencies and problems. So, when
Bottom line of this rant: be careful of what you install and run on your machine, and value your security against convenience. P.S. There was a discussion about the security |
I'm not sure how this security discussion is relevant. It's clear that quite a few developers want the convenience of having |
No. This is executing arbitrary code, that's not a good idea. |
If you want to clone something without building, e.g. to look at the source code, you can always do |
What he said. It's not like build.jl from tagged packages on metadata are undergoing rigorous security audits anyways. |
Rigorous security audits no, but part of metadata PR review should be looking over the package and checking for anything unusual. This is like downloading a script and piping it directly to an interpreter without looking at it first. People do this all the time out of convenience, but that doesn't make it a good idea or something we should encourage. For code that hasn't been reviewed or looked at by anyone else, there should be a separation between downloading the code, running setup steps, and using it. |
FWIW, I'm with @wildart and @tkelman on this. If anything, have |
Yeah, it's not terrible if you have to do |
"Security" does not mean "force users to type two commands instead of one". If a user is paranoid enough about a package to audit the code before running it, then they are a paranoid enough to type |
With respect, this:
does not comport with this:
and in any event is incorrect, particularly since the Julia command is the same name as the git command, which would cause a reasonable person to assume they performed equivalent functions - that is, grab code. With this proposal, however, the former would then execute untrusted code. Having an option to clone and build seems to be what people want, and there's no reason not to provide it; but repurposing a command that has historically been used to fetch only (and which has an analog in the underlying system it represents) to perform a potentially unsafe action that is currently present in neither implementation is just bad practice. |
If we want to change the contract of what |
Maybe |
+1 to having |
Another issue that |
Why even export a |
I have wondered the same thing |
for convenience? |
With |
A user with superificial knowledge of |
Does |
I like the idea of using |
We also won't be bundling or depending on the presence of command-line git forever. @wildart's libgit2-based git repl mode will be usable for simple cases though. |
Closing this, will likely be reworked for Pkg3. |
I just noticed that when
Pkg.clone
-ing an unregistered package,Pkg.build
does not appear to be run automatically. In contrast,Pkg.add
callsPkg.build
to build binary dependencies.Is this an inconsistency between
Pkg.add
andPkg.clone
? This issue came up when I was trying out an unregistered package that required a binary external dependency and I was confused about why the call to the library it wrapped was failing.The text was updated successfully, but these errors were encountered: