[Bf-docboard] security considerations about building the new blender manual ...
Dan McGrath
danmcgrath.ca at gmail.com
Thu Sep 25 12:48:44 CEST 2014
The context of the conversation is lost a bit (it happened on irc).
The concern was that since anyone could join the project via phab and get
commit access, an automated system would require some defensive design and
avoid blindly calling "make" as it could be rewritten by a drive-by evil
committer and cause the automated system to possibly execute commands.
Instead of calling "make" directly I proposed that we could avoid this
particular problem by simply invoking sphinx manually. Hopefully sphinx
would not have similar issues when done this way?
On Thu, Sep 25, 2014 at 6:41 AM, Campbell Barton <ideasman42 at gmail.com>
wrote:
> Why would make be less secure than sphinx-build?
>
> On Thu, Sep 25, 2014 at 8:32 PM, Gaia <gaia.clary at machinimatrix.org>
> wrote:
> > Troubled has pointed out in #blendercoders that running "make"
> > on the new sphinx based document system is potentially
> > dangerous and could even damage the documentor's computer.
> > While the chance seems small that this really happens, it still
> > seems to be one of the reasons why we do not yet get an
> > automated documentation build system.
> >
> > I think that all documentors should be made aware
> > of this problem here:
> >
> > https://developer.blender.org/project/view/53/
> >
> > I believe that adding a remark about security and how to
> > generate the documentation on a local computer more
> > securely is important.
> >
> > Troubled mentioned the following alternative to make would
> > be a safe way to build the docs:
> >
> > sphinx-build -b html ./manual ./html
> >
> > The above mentioned document proposes to use the evil
> > make instead ...
> >
> > cheers,
> > Gaia
> > _______________________________________________
> > Bf-docboard mailing list
> > Bf-docboard at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-docboard
>
>
>
> --
> - Campbell
> _______________________________________________
> Bf-docboard mailing list
> Bf-docboard at blender.org
> http://lists.blender.org/mailman/listinfo/bf-docboard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.blender.org/pipermail/bf-docboard/attachments/20140925/45841a91/attachment.htm
More information about the Bf-docboard
mailing list