馃悰 deno v1.13 breaks shims using --allow-plugin
#11819
Comments
# [why] Deno v1.13+ breaks prior correct shims using `--allow-plugin` by replacing it with `--allow-ffi` without deprecation. This changes fixes the shim for all v1.x versions of Deno at the cost of decreased security. A more narrow change replacing `--allow-plugin` with `--allow-ffi` for Deno versions if v1.13+ would still allow broken shims when/if the user upgraded from a Deno version less than v1.13. ref: denoland/deno#11819
|
Plugins and FFI are unstable. That said, it seems like something could be added to Line 1277 in df084b9 |
# [why] Deno v1.13+ breaks prior correct shims using `--allow-plugin` by replacing it with `--allow-ffi` without deprecation. This changes fixes the shim for all v1.x versions of Deno at the cost of decreased security. A more narrow change replacing `--allow-plugin` with `--allow-ffi` for Deno versions if v1.13+ would still allow broken shims when/if the user upgraded from a Deno version less than v1.13. ref: denoland/deno#11819
|
Unfortunately, it's a bit more problematic. For my installs, using And if |
|
They should make the |
They cannot be aliased because they are not the same thing: One is a native plugin API, the other is a FFI API. They are not compatible.
Yes, it's unstable, it may break. Deno's stability is described in more detail in the manual: https://deno.land/manual@v1.13.2/runtime/stability "You should be aware that many unstable APIs have not undergone a security review, are likely to have breaking API changes in the future, and are not ready for production." PS: If you are not sure about the stability of an unstable API, sometimes it helps to check the roadmap (#11168). Usually, if an unstable API is mentioned, it's either "stabilize" or "remove". For example, "Remove native plugins API, introduce FFI API" has been the number 1 item on the roadmap for a while now. An example of an unstable API being stabilized is the new HTTP server which is mentioned as "Stabilize native HTTP server API". |
I get it, and I agree with the process. But you're missing the point that normal use of |
You need both
|
|
@MarkTiedemann , thanks for taking the time to look at this issue. I do feel that I'm not correctly communicating the problem to you; I'll try to restate it and improve my explanation... I understand that But the important point here is that % generated by deno install %
@deno "run" "--allow-read" "--allow-write" "--allow-net" "--allow-env" "--allow-run" "--allow-plugin" "--allow-hrtime" "https://deno.land/x/..." %*and #!/bin/sh
# generated by deno install
deno "run" "--allow-read" "--allow-write" "--allow-net" "--allow-env" "--allow-run" "--allow-plugin" "--allow-hrtime" "https://deno.land/x/..." "$@"This is not specifically requested by the user installing the app and is for the most part opaque to casual users. And, then, this acts as a future trip mine which, without any warning, breaks all those shims when upgrading from v1.12 to v1.13, blocking use of all the apps installed using that installation directive. Again, I see this as a bug which needs to be addressed going forward to avoid tripping up ordinary users. Likely, a good solution going forward is to never add unstable flags when installing using |
|
@rivy Thanks for clarifying! I was not aware that This seems like a design issue IMO, too. I would have expected |
|
@MarkTiedemann , expanding the |
|
I don't think there's such a thing as "unintended permission expansion" when using
In this respect In I think that's unexpected and should be fixed. |
|
Yes, @MarkTiedemann, I believe we're saying the same thing... When I say "unintended permission expansion" for a later version of I'm suggesting that the bug is that the expansion of |
No, we're not.
I'm saying that the bug is that There should not be a difference between |
Thanks for clarifying. Hmm, I don't really agree; the current creation of a shim with individual You could argue that, by using But, it would be a simpler implementation. |
|
Using I don't understand the argument that you might want all flags now, but not a potential future flag. In that case, I think, you should specify all flags one by one rather than using |
|
If you have -A and that expands to include --allow-run what precisely could a future flag add that would be more powerful than --allow-run? I get what it is trying to do, but I don't think it's reasonable. If a user says they want -A then we should trust they want -A. (Maybe we can print a warning to say "you installed with -A but we strongly recommend enumerating the permissions...") |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
|
Not stale. This should be addressed at least as a policy statement going forward so that it doesn't happen again... |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
|
Not stale; not addressed as of yet. |
|
@rivy what is the expected solution for this issue? |
|
Opened #13325 |
|
@bartlomieju , the problem is that automatically adding unstable flags when installing potentially breaks future executions with a newer
edit I see @dsherret just added issue #13325 with a resolution similar to the noted suggestion. I think that will work as a solution. |
|
I believe requirement for |
With the change in v1.13 from
--allow-pluginto--allow-ffi(PR #11152), prior shims using--allow-pluginare now broken...IMO,
--allow-pluginshould have been deprecated but allowed until a later date (maybe v2). Changing the command line API like this can suddenly break working setups (as it did mine). To me, this seems to be the definition of a semver API change requiring a major version update.The text was updated successfully, but these errors were encountered: