Commit 8c400a40 authored by Edward Z. Yang's avatar Edward Z. Yang Committed by GitHub
Browse files

Merge pull request #3840 from dcoutts/secure-by-default

Use security by default for central hackage repo
parents c2dfc331 2e8b7df6
......@@ -92,6 +92,7 @@ cache:
before_cache:
- rm -fv $HOME/.cabal/packages/hackage.haskell.org/build-reports.log
- rm -fv $HOME/.cabal/packages/hackage.haskell.org/00-index*
- rm -fv $HOME/.cabal/packages/hackage.haskell.org/*.json
# Deploy Haddocks to the haskell/cabal-website repo.
after_success:
......
......@@ -26,6 +26,8 @@ build_script:
- echo "" | ..\cabal install --only-dependencies --enable-tests
- ..\cabal configure --user --ghc-option=-Werror --enable-tests
- ..\cabal build
# update package index again, this time for the cabal under test
- dist\build\cabal\cabal.exe update
- ..\cabal test unit-tests --show-details=streaming --test-option=--pattern=!FileMonitor --test-option=--hide-successes
- ..\cabal test integration-tests --show-details=streaming --test-option=--pattern=!exec --test-option=--hide-successes
- ..\cabal test integration-tests2 --show-details=streaming --test-option=--hide-successes
......
......@@ -532,13 +532,9 @@ addInfoForKnownRepos repo
remoteRepoKeyThreshold = 0
} | secure /= Just False
= r {
--TODO: When we want to switch us from using opt-in to opt-out
-- security for the central hackage server, uncomment the
-- following line. That will cause the default (of unspecified)
-- to get interpreted as if it were "secure: True". For the
-- moment it means the keys get added but you have to manually
-- set "secure: True" to opt-in.
--remoteRepoSecure = Just True,
-- Use hackage-security by default unless you opt-out with
-- secure: False
remoteRepoSecure = Just True,
remoteRepoRootKeys = defaultHackageRemoteRepoKeys,
remoteRepoKeyThreshold = defaultHackageRemoteRepoKeyThreshold
}
......
......@@ -27,6 +27,10 @@ import Network.Browser
import Control.Applicative
#endif
import qualified Control.Exception as Exception
import Control.Exception
( evaluate )
import Control.DeepSeq
( force )
import Control.Monad
( when, guard )
import qualified Data.ByteString.Lazy.Char8 as BS
......@@ -56,6 +60,8 @@ import System.FilePath
( (<.>) )
import System.Directory
( doesFileExist, renameFile )
import System.IO
( withFile, IOMode(ReadMode), hGetContents, hClose )
import System.IO.Error
( isDoesNotExistError )
import Distribution.Simple.Program
......@@ -70,7 +76,6 @@ import Distribution.Simple.Program.Run
( IOEncoding(..), getEffectiveEnvironment )
import Numeric (showHex)
import System.Directory (canonicalizePath)
import System.IO (hClose)
import System.FilePath (takeFileName, takeDirectory)
import System.Random (randomRIO)
import System.Exit (ExitCode(..))
......@@ -340,9 +345,10 @@ curlTransport prog =
resp <- getProgramInvocationOutput verbosity
(programInvocation prog args)
headers <- readFile tmpFile
(code, _err, etag') <- parseResponse uri resp headers
return (code, etag')
withFile tmpFile ReadMode $ \hnd -> do
headers <- hGetContents hnd
(code, _err, etag') <- parseResponse uri resp headers
evaluate $ force (code, etag')
posthttp = noPostYet
......@@ -387,8 +393,9 @@ curlTransport prog =
(code, err, _etag) <- parseResponse uri resp ""
return (code, err)
-- on success these curl involcations produces an output like "200"
-- on success these curl invocations produces an output like "200"
-- and on failure it has the server error response first
parseResponse :: URI -> String -> String -> IO (Int, String, Maybe ETag)
parseResponse uri resp headers =
let codeerr =
case reverse (lines resp) of
......@@ -450,8 +457,9 @@ wgetTransport prog =
"boundary=" ++ boundary ]
out <- runWGet verbosity (addUriAuth auth uri) args
(code, _etag) <- parseOutput uri out
resp <- readFile responseFile
return (code, resp)
withFile responseFile ReadMode $ \hnd -> do
resp <- hGetContents hnd
evaluate $ force (code, resp)
puthttpfile verbosity uri path auth headers =
withTempFile (takeDirectory path) "response" $ \responseFile responseHandle -> do
......@@ -466,8 +474,9 @@ wgetTransport prog =
out <- runWGet verbosity (addUriAuth auth uri) args
(code, _etag) <- parseOutput uri out
resp <- readFile responseFile
return (code, resp)
withFile responseFile ReadMode $ \hnd -> do
resp <- hGetContents hnd
evaluate $ force (code, resp)
addUriAuth Nothing uri = uri
addUriAuth (Just (user, pass)) uri = uri
......
......@@ -367,6 +367,7 @@ executable cabal
Cabal >= 1.25 && < 1.26,
containers >= 0.4 && < 0.6,
cryptohash-sha256 >= 0.11 && < 0.12,
deepseq >= 1.3 && < 1.5,
filepath >= 1.3 && < 1.5,
hashable >= 1.0 && < 2,
HTTP >= 4000.1.5 && < 4000.4,
......@@ -453,6 +454,7 @@ Test-Suite unit-tests
bytestring,
Cabal,
containers,
deepseq,
mtl,
pretty,
process,
......@@ -613,6 +615,7 @@ test-suite integration-tests2
Cabal,
containers,
cryptohash-sha256,
deepseq,
directory,
filepath,
hackage-security,
......
......@@ -86,6 +86,11 @@ timed cabal new-build cabal-install:cabal \
cabal-install:unit-tests \
cabal-install:solver-quickcheck
# The integration-tests2 need the hackage index, and need it in the secure
# format, which is not necessarily the default format of the bootstrap cabal.
# If the format does match then this will be very quick.
timed ${CABAL_INSTALL_BDIR}/build/cabal/cabal update
# Run tests
(cd cabal-install && timed ${CABAL_INSTALL_BDIR}/build/unit-tests/unit-tests $TEST_OPTIONS) || exit $?
(cd cabal-install && timed ${CABAL_INSTALL_BDIR}/build/solver-quickcheck/solver-quickcheck $TEST_OPTIONS --quickcheck-tests=1000) || exit $?
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment