[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: chicken-doc instructions recommend extracting tar file as root
From: |
Jim Ursetto |
Subject: |
Re: chicken-doc instructions recommend extracting tar file as root |
Date: |
Sat, 8 May 2021 20:00:52 -0500 |
Hi there,
Thanks for your interest. I recommend checking out a copy of the svn wiki repo
and using chicken-doc-admin to import it, instead of using the tarball. For
details see the Quick Start section in
https://api.call-cc.org/5/doc/chicken-doc-admin.
Or, extract the tarball somewhere in your home directory with normal user
permissions, and set CHICKEN_DOC_REPOSITORY to the extraction path, as
mentioned in the documentation.
You may also use the public server https://api.call-cc.org if browser based
docs are ok.
Jim
> On May 8, 2021, at 2:49 PM, Lassi Kortela <lassi@lassi.io> wrote:
>
> Currently https://wiki.call-cc.org/eggref/5/chicken-doc instructs users to
> run:
>
> curl https://3e8.org/pub/chicken-doc/chicken-doc-repo-5.tgz | sudo tar zx
>
> in a directory that's often located within /usr. This is not ideal from a
> security perspective, especially given that that the remote file changes
> daily so some users can be expected to repeat the command lots of times.
>
> An immediate safeguard is to edit the wiki page to add the verbose flag to
> the suggested tar command, causing it to show the pathnames of all the files
> it extracts.
>
> For a proper fix, could chicken-doc be modified to download the tar file,
> sanity-check its contents, and unpack it safely into the user's home
> directory instead?
>
> Alternatively, if the documentation is shipped in some kind of file format
> with an index for fast lookup, it doesn't need to be extracted into multiple
> files at all. There are reasonably simple databases like CDB and Berkeley DB
> for jobs like this.
>
> -l
>