diff --git a/CHANGES b/CHANGES index e3870f74546..f111e2b054f 100644 --- a/CHANGES +++ b/CHANGES @@ -13,6 +13,7 @@ are not marked). variables setup, color console and utf8 (using specific C stubs) * Better detection of the running shell * Added shell helpers to automatically sync the environment on every prompt +* Support for selecting different backends if compiled in the `ocaml-mccs` solver lib 2.0.0~rc * Fixes diff --git a/doc/pages/FAQ.md b/doc/pages/FAQ.md index 43388c589ee..32a6566964d 100644 --- a/doc/pages/FAQ.md +++ b/doc/pages/FAQ.md @@ -66,11 +66,12 @@ remove) are also run in a sandbox and guaranteed not to affect your system. Since opam 2.0.0~rc2, opam uses `bwrap` on Linux to run package instructions in a sandbox. This restricts their access to parts of the system (e.g., forbid -access to operating system, user data, or network). See the [bubblewrap -page](https://github.com/projectatomic/bubblewrap) for details. +access to operating system, user data, or network). See the +[bubblewrap page](https://github.com/projectatomic/bubblewrap) for details. A +similar mechanism is used on macOS, using the `sandbox-exec` command. We use `bwrap` to prevent packages from writing outside their allotted -filesystem space, use network. For example, build commands have restricted +filesystem space or use the network. For example, build commands have restricted write access, restrained to their dedicated build directory and `/tmp`. These sandboxing instructions are specified in the built-in configuration, that you can display with `opam init --show-default-opamrc`: @@ -83,16 +84,16 @@ wrap-install-commands: ["%{hooks}%/sandbox.sh" "install"] {os = "linux"} wrap-remove-commands: ["%{hooks}%/sandbox.sh" "remove"] {os = "linux"} ``` -You can manually disable package build sandboxing and remove bwrap from -the required dependencies (at your own risk). You can use the built-in -configuration as a template to create or update an `opamrc` file: run `opam -init --show-default-opamrc >~/.opamrc`, then edit that file and remove or -modify the [`init-scripts:`](Manual.html#opamrcfield-init-scripts) and -`wrap-*:` fields as well as the `bwrap` line from the `required-tools:` field, -and finally retry `opam init`. - -See also the [wrap entry](Manual.html#configfield-wrap-build-commands) section -in the manual. +Sandboxing provides an important level of security, and should always be kept +enabled. Note, however, that: +- Only the _package_ build/install/remove commands are protected: if you install + a program using opam and execute it, it will run with your standard user + rights. +- If needed, for special cases like unprivileged containers, sandboxing can be + disabled on `opam init` with the `--disable-sandboxing` flag. Or by using a + [custom `opamrc`](Manual.html#configfield-wrap-build-commands). Use wisely, + broken Makefiles that run `rm -rf /` + [__do__ happen](https://github.com/ocaml/opam/issues/3231). --- diff --git a/doc/pages/Manual.md b/doc/pages/Manual.md index e1606209926..6ddc9b2a386 100644 --- a/doc/pages/Manual.md +++ b/doc/pages/Manual.md @@ -945,7 +945,7 @@ files. - `conflict-class: [ ... ]`: an alternate, symmetric way of defining package conflicts. Conflict classes - defined by this field have the same constraints as package names, but occupy a + defined by this field have the same syntactic constraints as package names, but occupy a different namespace. Any two packages having a common conflict class will be considered incompatible. This is useful to define sets of mutually conflicting packages. diff --git a/src/core/opamConsole.ml b/src/core/opamConsole.ml index 477193eea54..ac71cdb96ae 100644 --- a/src/core/opamConsole.ml +++ b/src/core/opamConsole.ml @@ -737,6 +737,15 @@ let print_table ?cut oc ~sep table = let replace_newlines by = Re.(replace_string (compile (char '\n')) ~by) in + let cleanup_trailing sl = + let rec clean acc = function + | s::r -> + let s' = OpamStd.String.strip_right s in + if s' = "" then clean acc r else List.rev_append r (s'::acc) + | [] -> acc + in + clean [] (List.rev sl) + in let print_line l = match cut with | `None -> let s = List.map (replace_newlines "\\n") l |> String.concat sep in @@ -758,15 +767,20 @@ let print_table ?cut oc ~sep table = let rec split_at_overflows start_col acc cur = let append = function | [] -> acc - | last::r -> List.rev (OpamStd.String.strip last :: r) :: acc + | last::r -> List.rev (OpamStd.String.strip_right last :: r) :: acc in function | [] -> List.rev (append cur) | cell::rest -> let multiline = String.contains cell '\n' in + let cell_lines = OpamStd.String.split cell '\n' in let cell_width = + List.fold_left max 0 (List.map visual_length cell_lines) + in + let text_width = List.fold_left max 0 - (List.map visual_length (OpamStd.String.split cell '\n')) + (List.map (fun s -> visual_length (OpamStd.String.strip_right s)) + cell_lines) in let end_col = start_col + sep_len + cell_width in let indent ~sep n cell = @@ -779,10 +793,10 @@ let print_table ?cut oc ~sep table = OpamStd.String.strip_right (OpamStd.String.split cell '\n') in - if end_col < width then + if start_col + sep_len + text_width <= width then if multiline then let cell = - indent ~sep:true start_col (OpamStd.String.strip cell) + indent ~sep:true start_col (OpamStd.String.strip_right cell) in split_at_overflows margin (append (cell::cur)) [] rest else @@ -791,14 +805,14 @@ let print_table ?cut oc ~sep table = width - start_col - max_sep_len >= min_reformat_width then let cell = - OpamStd.String.strip cell |> fun cell -> + OpamStd.String.strip_right cell |> fun cell -> reformat ~width:(width - start_col - max_sep_len) cell |> indent ~sep:true start_col in split_at_overflows margin acc (cell::cur) [] else if multiline || margin + cell_width >= width then let cell = - OpamStd.String.strip cell |> fun cell -> + OpamStd.String.strip_right cell |> fun cell -> reformat ~width:(width - margin) cell |> fun cell -> OpamStd.String.split cell '\n' |> OpamStd.List.concat_map ("\n" ^ indent_string) @@ -817,7 +831,7 @@ let print_table ?cut oc ~sep table = in output_string str; in - List.iter print_line table + List.iter (fun l -> print_line (cleanup_trailing l)) table (* This allows OpamStd.Config.env to display warning messages *) let () = diff --git a/src/core/opamStd.ml b/src/core/opamStd.ml index c0baddc45dd..5a3b67e9deb 100644 --- a/src/core/opamStd.ml +++ b/src/core/opamStd.ml @@ -616,7 +616,7 @@ module OpamSys = struct let cmd = List.find Sys.file_exists (List.map (fun d -> Filename.concat d cmd) path) in - let ic = Unix.open_process_in (cmd^" "^args^" 2>/dev/null") in + let ic = Unix.open_process_in (cmd^" "^args) in try let r = f ic in ignore (Unix.close_process_in ic) ; r @@ -766,7 +766,8 @@ module OpamSys = struct with e -> fatal e; try - with_process_in "ps" (Printf.sprintf "-p %d -o comm=" ppid) + with_process_in "ps" + (Printf.sprintf "-p %d -o comm= 2>/dev/null" ppid) (fun ic -> Some (input_line ic)) with | Unix.Unix_error _ | Sys_error _ | Failure _ | End_of_file | Not_found -> diff --git a/src/state/opamFileTools.ml b/src/state/opamFileTools.ml index 7984932cd65..677c428c79c 100644 --- a/src/state/opamFileTools.ml +++ b/src/state/opamFileTools.ml @@ -728,7 +728,7 @@ let warns_to_string ws = | `Error -> OpamConsole.colorise `red "error" in OpamStd.Format.reformat ~indent:14 - (Printf.sprintf " %15s %2d: %s" ws n s)) + (Printf.sprintf " %16s %2d: %s" ws n s)) ws (* Package definition loading *)