[Asdf-devel] mkcl and asdf
Faré
fahree at gmail.com
Wed Apr 9 12:36:41 UTC 2014
>> This suggests that one of the things you need to do is have tighter
>> control over the CL_SOURCE_REGISTRY
>> and ASDF_OUTPUT_TRANSLATIONS around this compilation, to prevent the
>> unwanted ASDF upgrade.
>
> I have to admit that interference from the process environment was not on my
> list of identified threats.
> I just committed two lines in my src/build-asdf-contrib.lsp to guard against
> that. I hope its enough.
> I looked into the source code of ASDF and saw that it read the content of at
> least 11 environment variables!
> Should I be paranoid and guard also against the 9 nine others beside the two
> you mentioned?
>
grep 'getenv.*"' *p u*/*p actually finds 15 different variables that
*may* be used.
But when these two are controlled, all other variables are unused, except for
__CL_ARGV0 that you shouldn't care about and TMPDIR (or TEMP, on Windows)
that should be left in the user's control —
if it's bogus, a lot more things than ASDF will break;
and if the user wants to divert it, he probably knows what he's doing.
—♯ƒ • François-René ÐVB Rideau •Reflection&Cybernethics• http://fare.tunes.org
Love doesn't scale. — Eric S. Raymond
More information about the asdf-devel
mailing list