Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

opam should use an allow list for OPAM* environment variables #4661

Closed
dra27 opened this issue May 14, 2021 · 4 comments
Closed

opam should use an allow list for OPAM* environment variables #4661

dra27 opened this issue May 14, 2021 · 4 comments
Milestone
2.2.0~alpha

Comments

@dra27
Copy link
Member

dra27 commented May 14, 2021

At present, environment variables are communicated through to package builds by default. This should be hardened to an allow list, mainly to prevent accidental leaking of user environment variables to package builds.

Related to #4660
@dra27 dra27 added this to the 2.2.0~alpha milestone May 14, 2021
@dra27
Copy link
Member Author

dra27 commented May 14, 2021

NB - in case it seems tempting - using an allow list for all environment variables is a Windows non-starter (it's just too hard...!)

@dra27 dra27 mentioned this issue May 19, 2021
Closed
@AltGr
Copy link
Member

AltGr commented May 20, 2021

I can confirm 😅

@dra27
Copy link
Member Author

dra27 commented Jul 2, 2021
edited

This is now limited to 2.0 OPAM variables only (since #4663)

@dra27
Copy link
Member Author

dra27 commented Jul 2, 2021

This is something which opam 3.x might choose to do, but for compatibility the fact that all new environment variables are scrubbed is enough for 2.x

@dra27 dra27 closed this as completed Jul 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.2.0~alpha
Development

No branches or pull requests
2 participants
@AltGr @dra27