rts: Stop tracing environment variables (fixes #15371)
ClosedPublic

Authored by maoe on Sep 27 2018, 9:58 PM.

Details

Summary

This tracing may cause a security issue as some external tools
out there expects user to set credentials in environment variables.

Diff Detail

Repository
rGHC Glasgow Haskell Compiler
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
maoe created this revision.Sep 27 2018, 9:58 PM
maoe updated the Trac tickets for this revision.Sep 27 2018, 10:00 PM

Hmm, the ticket talks about making this feature opt-in, which makes a lot of sense to me, but this patch just drops the feature entirely. What's the reasoning behind this?

maoe added a comment.EditedOct 1 2018, 8:09 AM

Hmm, the ticket talks about making this feature opt-in, which makes a lot of sense to me, but this patch just drops the feature entirely. What's the reasoning behind this?

As I mentioned in the ticket if this feature was not used widely we could consider just dropping it. Since it has never been useful to me, I assumed there was not much use for it. Of course this assumption could be wrong.

If we were to make this opt-in, there would be a few ways to do it:

  • Add a RTS flag to enable this feature: -le or something like that.
    • We need to think whether or not it should be included in +RTS -la. I'd say this shouldn't be included but it complicates the flag semantics.
  • Drop it from GHC RTS and provide a library to do it.
    • This requires access to source code to use the feature, which is not an option if the program is closed source.

I'm not sure if my assumption is correct but my gut feeling is that we can live without the feature. What do you think?

monoidal accepted this revision.Oct 3 2018, 1:04 PM
This revision is now accepted and ready to land.Oct 3 2018, 1:04 PM
This revision was automatically updated to reflect the committed changes.