Bug#702349: lintian should not complain about hardening for package written in pure Ocaml

To: 702349@bugs.debian.org
Cc: Prach Pongpanich <prachpub@gmail.com>, Niels Thykier <niels@thykier.net>, debian-ocaml-maint@lists.debian.org
Subject: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
From: Hendrik Tews <tews@os.inf.tu-dresden.de>
Date: Wed, 06 Mar 2013 09:37:00 +0100
Message-id: <[🔎] 6xr4jsc4b7.fsf@blau.inf.tu-dresden.de>
Reply-to: Hendrik Tews <tews@os.inf.tu-dresden.de>, 702349@bugs.debian.org
In-reply-to: <[🔎] CAF=n8MKDX0yQK9oOkUdRHnxRN7x_Ltgwif=zR3tNsg5R7bO-GA@mail.gmail.com> (Prach Pongpanich's message of "Tue, 5 Mar 2013 22:25:45 +0700")
References: <[🔎] CAF=n8MKDX0yQK9oOkUdRHnxRN7x_Ltgwif=zR3tNsg5R7bO-GA@mail.gmail.com>

Prach Pongpanich <prachpub@gmail.com> writes:

   lintian should not complain about hardening for package written in
   pure Ocaml [0],[1],[2]

The problem is, that even pure OCaml contains enough features
that may permit arbitrary memory corruptions by an attacker. For
instance, String.unsafe_blit has no bounds checks, Obj.magic is
an unsafe cast, Marshal.from_channel may break the type
system, ...

Moreover, it is almost impossible to avoid these unsafe
functions, because they are used in the standard library. 

In principle I agree, that programs written in a certain subset
of OCaml do not need these hardening features. However, at the
moment this safe subset is not even identified...

Bye,

Hendrik

Reply to:

Follow-Ups:
- Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
  - From: Stéphane Glondu <glondu@crans.org>

References:
- Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
  - From: Prach Pongpanich <prachpub@gmail.com>

Prev by Date: Bug#701477: lintian: Should it support XDG?
Next by Date: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Previous by thread: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Next by thread: Bug#702349: lintian should not complain about hardening for package written in pure Ocaml
Index(es):
- Date
- Thread