[Bf-docboard] security considerations about building the new blender manual ...

Campbell Barton ideasman42 at gmail.com
Thu Sep 25 13:05:02 CEST 2014 

On Thu, Sep 25, 2014 at 8:48 PM, Dan McGrath <danmcgrath.ca at gmail.com> wrote:
> The context of the conversation is lost a bit (it happened on irc).
>
> The concern was that since anyone could join the project via phab and get
> commit access, an automated system would require some defensive design and
> avoid blindly calling "make" as it could be rewritten by a drive-by evil
> committer and cause the automated system to possibly execute commands.
>
> Instead of calling "make" directly I proposed that we could avoid this
> particular problem by simply invoking sphinx manually. Hopefully sphinx
> would not have similar issues when done this way?

In that case we have to restrict who can commit, since
`manual/conf.py` is no more secure then makefiles.

> On Thu, Sep 25, 2014 at 6:41 AM, Campbell Barton <ideasman42 at gmail.com>
> wrote:
>>
>> Why would make be less secure than sphinx-build?
>>
>> On Thu, Sep 25, 2014 at 8:32 PM, Gaia <gaia.clary at machinimatrix.org>
>> wrote:
>> > Troubled has pointed out in #blendercoders that running "make"
>> > on the new sphinx based document system is potentially
>> > dangerous and could even damage the documentor's computer.
>> > While the chance seems small that this really happens, it still
>> > seems to be one of the reasons why we do not yet get an
>> > automated documentation build system.
>> >
>> > I think that all documentors should be made aware
>> > of this problem here:
>> >
>> >      https://developer.blender.org/project/view/53/
>> >
>> > I believe that adding a remark about security and how to
>> > generate the documentation on a local computer more
>> > securely is important.
>> >
>> > Troubled mentioned the following alternative to make would
>> > be a safe way to build the docs:
>> >
>> >      sphinx-build -b html ./manual ./html
>> >
>> > The above mentioned document proposes to use the evil
>> > make instead ...
>> >
>> > cheers,
>> > Gaia
>> > _______________________________________________
>> > Bf-docboard mailing list
>> > Bf-docboard at blender.org
>> > http://lists.blender.org/mailman/listinfo/bf-docboard
>>
>>
>>
>> --
>> - Campbell
>> _______________________________________________
>> Bf-docboard mailing list
>> Bf-docboard at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-docboard
>
>
>
> _______________________________________________
> Bf-docboard mailing list
> Bf-docboard at blender.org
> http://lists.blender.org/mailman/listinfo/bf-docboard
>



-- 
- Campbell

More information about the Bf-docboard mailing list